en 50126
DESCRIPTION
CENELEC StandardTRANSCRIPT
Stresemannallee 15; 60596 Frankfurt am Main; Telefon: +49 69 6308-0; Telefax: +49 69 6312925 Electronic Mail: [email protected] Internet: http://www.dke.de
IEC-Schriftstück Projekt: IEC 62278/Ed1
IEC 9/686/FDIS "IEC 62278: Railway applications - Specification and demonstration of reliability, availability, maintainability and safety (RAMS)"
Sehr geehrte Herren,
als Anlage übersenden wir Ihnen den im Betreff genannten Final Draft International Standard, zu dem das Central Office der IEC um Abstimmung bis zum 30.08.2002 gebeten hat.
Sollte aus Ihrer Sicht dem FDIS nicht zugestimmt werden, so bitten wir Sie, dies bis spätestens 02.08.2002 dem Deutschen Sprecher
Herrn Dipl.-Ing. Friedrich Moninger Siemens AG Abt. TS GTC 1 Werner-von-Siemens-Str. 67 91056 Erlangen Telefon: 09131 7-24161 E-Mail: [email protected]
mit einer entsprechenden Begründung in englischer Sprache unter Verwendung des Formulars DKEF08C.Doc mitzuteilen.
Den Deutschen Sprecher bitten wir bis spätestens 16.08.2002 um Mitteilung, ob das Abstimmformular mit "ja" oder "nein" zu beantworten ist. Im Falle einer Ablehnung bitten wir, eine Begründung in englischer Sprache unter Verwendung des Formulars DKEF08C.Doc möglichst über E-Mail oder auf Diskette beizufügen.
Hinweis: Das Formular DKEF08C.Doc kann von der DKE-Homepage www.dke.de unter der Adresse: "http://www.dke.de/de/gstelle/mitteilungen/schriftstuecke.htm" heruntergeladen werden.
Mit freundlichen Grüßen
DKE Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN und VDE Referat K 351 gez. Monika Graupner, Sekretärin
Anlage
VDE – DKE · Stresemannallee 15 · 60596 Frankfurt am Main
351.1_0038-2002
351.2_0032-2002
Rundschreiben Nr.
351_0029-2002
Frankfurt am Main 09.07.2002
Unser Zeichen 1/351 gn
Durchwahl + 49 69 6308-255
E-Mail [email protected]
DKE Deutsche Kommission Elektrotechnik Elektronik Informationstechnik im DIN und VDE Deutsches Mitglied in IEC und CENELEC
DKE 713.4_0051-2002
9/686/FDISFINAL DRAFT INTERNATIONAL STANDARD
PROJET FINAL DE NORME INTERNATIONALEProject numberNuméro de projet
62278 Ed.1
IEC/TC or SC CEI/CE ou SCTC 9 /CE 9
Secretariat / SecrétariatFrance
Submitted for parallel voting in CENELECSoumis au vote parallèle au CENELEC
Distributed on / Diffusé le2002-06-28
Voting terminates on / Vote clos le2002-08-30
Also of interest to the following committeesIntéresse également les comités suivants
Supersedes documentRemplace le document9/618/CDV
Functions concernedFonctions concernées
SafetySécurité
EMCCEM
EnvironmentEnvironnement
Quality assuranceAssurance de la qualité
INTERNATIONAL ELECTROTECHNICAL COMMISSION COMMISSION ÉLECTROTECHNIQUE INTERNATIONALE
THIS DOCUMENT IS A DRAFT DISTRIBUTED FOR APPROVAL. IT MAY NOT BE REFERRED TO AS AN INTERNATIONAL STANDARD UNTIL PUBLISHEDAS SUCH.
IN ADDITION TO THEIR EVALUATION AS BEING ACCEPTABLE FOR INDUSTRIAL, TECHNOLOGICAL, COMMERCIAL AND USER PURPOSES, FINALDRAFT INTERNATIONAL STANDARDS MAY ON OCCASION HAVE TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL TO BECOME STANDARDSTO WHICH REFERENCE MAY BE MADE IN NATIONAL REGULATIONS.
CE DOCUMENT EST UN PROJET DIFFUSÉ POUR APPROBATION. IL NE PEUT ÊTRE CITÉ COMME NORME INTERNATIONALE AVANT SA PUBLICATIONEN TANT QUE TELLE.
OUTRE LE FAIT D'ÊTRE EXAMINÉS POUR ÉTABLIR S'ILS SONT ACCEPTABLES À DES FINS INDUSTRIELLES, TECHNOLOGIQUES ET COMMERCIALES,AINSI QUE DU POINT DE VUE DES UTILISATEURS, LES PROJETS FINAUX DE NORMES INTERNATIONALES DOIVENT PARFOIS ÊTRE EXAMINÉS ENVUE DE LEUR POSSIBILITÉ DE DEVENIR DES NORMES POUVANT SERVIR DE RÉFÉRENCE DANS LES RÈGLEMENTATIONS NATIONALES.
TitleIEC 62278: Railway applications - Specification and demonstrationof reliability, availability, maintainability and safety (RAMS)
TitreCEI 62278: Applications ferroviaires - Spécification et démonstration de lafiabilité, de la disponibilité, de la maintenabilité et de la sécurité (FDMS)
FORM FDIS (IEC)/FORMULAIRE FDIS (CEI)2002-05-14
Copyright © 2002 International Electrotechnical Commission, IEC. All rights reserved. It ispermitted to download this electronic file, to make a copy and to print out the content for the solepurpose of preparing National Committee positions. You may not copy or "mirror" the file orprinted version of the document, or any part of it, for any other purpose without permission inwriting from IEC.
62278/FDIS © IEC – 2 –
CONTENTS
FOREWORD .......................................................................................................................... 4INTRODUCTION .................................................................................................................... 5
1 Scope .............................................................................................................................. 62 Normative references ....................................................................................................... 63 Definitions........................................................................................................................ 74 Railway RAMS ................................................................................................................12
4.1 Introduction............................................................................................................124.2 Railway RAMS and quality of service ......................................................................124.3 Elements of railway RAMS .....................................................................................134.4 Factors influencing railway RAMS ..........................................................................154.5 Means to achieve railway RAMS requirements........................................................204.6 Risk .......................................................................................................................214.7 Safety integrity .......................................................................................................244.8 Fail-safe concept ...................................................................................................26
5 Management of railway RAMS.........................................................................................265.1 General .................................................................................................................265.2 System life cycle ....................................................................................................275.3 Application of this standard ....................................................................................35
6 RAMS life cycle ...............................................................................................................376.1 Phase 1: Concept ..................................................................................................376.2 Phase 2: System definition and application conditions ............................................396.3 Phase 3: Risk analysis ...........................................................................................426.4 Phase 4: System requirements ...............................................................................446.5 Phase 5: Apportionment of system requirements ....................................................486.6 Phase 6: Design and implementation......................................................................506.7 Phase 7: Manufacturing .........................................................................................526.8 Phase 8: Installation...............................................................................................536.9 Phase 9: System validation (including safety acceptance and commissioning) ........556.10 Phase 10: System acceptance ...............................................................................576.11 Phase 11: Operation and maintenance ...................................................................586.12 Phase 12: Performance monitoring.........................................................................596.13 Phase 13: Modification and retrofit .........................................................................606.14 Phase 14: Decommissioning and disposal ..............................................................62
Annex A (informative) Outline of RAMS specification – example...........................................64Annex B (informative) RAMS programme..............................................................................69Annex C (informative) Examples of parameters for railway....................................................74Annex D (informative) Examples of some risk acceptance principles ....................................76Annex E (informative) Responsibilities within the RAMS process throughout the life cycle ....80
62278/FDIS © IEC – 3 –
Figure 1 – Quality of Service and Railway RAMS....................................................................13Figure 2 – Inter-relation of Railway RAMS elements ...............................................................13Figure 3 – Effects of Failures Within a System .......................................................................15Figure 4 – Influences on RAMS .............................................................................................15Figure 5 – Factors Influencing Railway RAMS ........................................................................17Figure 6 – Example of a Cause/Effect Diagram ......................................................................20Figure 7 – Certified Products in Safety Systems.....................................................................25Figure 8 – System Life cycle ..................................................................................................28Figure 9 – Project Phase Related Tasks ................................................................................29Figure 10 – The "V" Representation .......................................................................................34Figure 11 – Verification and Validation ...................................................................................35Figure 12 – RAMS Engineering and Management Implemented within a SystemRealisation Process...............................................................................................................37
Table 1 – RAM Failure Categories .........................................................................................21Table 2 – Frequency of Occurrence of Hazardous Events ......................................................22Table 4 – Frequency - Consequence Matrix ...........................................................................23Table 5 – Qualitative Risk Categories ....................................................................................23Table 6 – Typical Example of Risk Evaluation and Acceptance...............................................24Table B.1 – Example of a Basic RAMS Programme Outline....................................................70Table C.1 – Examples of Reliability Parameters .....................................................................74Table C.2 – Examples of Maintainability Parameters ..............................................................74Table C.3 – Examples of Availability Parameters ...................................................................75Table C.4 – Examples of Logistic Support Parameters ...........................................................75Table C.5 – Examples of Safety Performance Parameters .....................................................75
62278/FDIS © IEC – 4 –
INTERNATIONAL ELECTROTECHNICAL COMMISSION____________
RAILWAY APPLICATIONS –SPECIFICATION AND DEMONSTRATION OF RELIABILITY,AVAILABILITY, MAINTAINABILITY AND SAFETY (RAMS)
FOREWORD1) The IEC (International Electrotechnical Commission) is a worldwide organization for standardization comprising
all national electrotechnical committees (IEC National Committees). The object of the IEC is to promoteinternational co-operation on all questions concerning standardization in the electrical and electronic fields. Tothis end and in addition to other activities, the IEC publishes International Standards. Their preparation isentrusted to technical committees; any IEC National Committee interested in the subject dealt with mayparticipate in this preparatory work. International, governmental and non-governmental organizations liaisingwith the IEC also participate in this preparation. The IEC collaborates closely with the International Organizationfor Standardization (ISO) in accordance with conditions determined by agreement between the twoorganizations.
2) The formal decisions or agreements of the IEC on technical matters express, as nearly as possible, aninternational consensus of opinion on the relevant subjects since each technical committee has representationfrom all interested National Committees.
3) The documents produced have the form of recommendations for international use and are published in the formof standards, technical specifications, technical reports or guides and they are accepted by the NationalCommittees in that sense.
4) In order to promote international unification, IEC National Committees undertake to apply IEC InternationalStandards transparently to the maximum extent possible in their national and regional standards. Anydivergence between the IEC Standard and the corresponding national or regional standard shall be clearlyindicated in the latter.
5) The IEC provides no marking procedure to indicate its approval and cannot be rendered responsible for anyequipment declared to be in conformity with one of its standards.
6) Attention is drawn to the possibility that some of the elements of this International Standard may be the subjectof patent rights. The IEC shall not be held responsible for identifying any or all such patent rights.
International Standard IEC 62278 has been prepared by IEC technical committee 9: Electricrailway equipment.
This standard based on the European Norm EN 50126 was prepared by Technical CommitteeCENELEC TC 9X : Electrical and electronic applications for railways. It was submitted to theNational Committees for voting under the Fast Track Procedure as the following documents:
FDIS Report on voting
9/XX/FDIS 9/XX/RVD
Full information on the voting for the approval of this standard can be found in the report onvoting indicated in the above table.
This standard does not follow the rules for structuring International Standards as given in Part2 of the ISO/IEC Directives.
NOTE This standard has been reproduced without significant modification to its original content or drafting.
The committee has decided that the contents of this publication will remain unchanged until2008. At this date, the publication will be
• reconfirmed;• withdrawn;• replaced by a revised edition, or• amended.
62278/FDIS © IEC – 5 –
INTRODUCTION
This International Standard provides Railway Authorities and railway support industry with aprocess which will enable the implementation of a consistent approach to the management ofreliability, availability, maintainability and safety, denoted by the acronym RAMS. Processes forthe specification and demonstration of RAMS requirements are the cornerstones of thisstandard. This standard aims to promote a common understanding and approach to themanagement of RAMS.
This standard can be applied systematically by a Railway Authority and railway supportindustry, throughout all phases of the life cycle of a railway application, to develop railwayspecific RAMS requirements and to achieve compliance with these requirements. The systems-level approach defined by this standard facilitates assessment of the RAMS interactionsbetween elements of complex railway applications.
This standard promotes co-operation between a Railway Authority and railway support industry,within a variety of procurement strategies, in the achievement of an optimal combination ofRAMS and cost for railway applications.
The process defined by this standard assumes that Railway Authorities and railway supportindustry have business-level policies addressing Quality, Performance and Safety. Theapproach defined in this standard is consistent with the application of quality managementrequirements contained within the ISO 9000 family of International Standards.
62278/FDIS © IEC – 6 –
RAILWAY APPLICATIONS –SPECIFICATION AND DEMONSTRATION OF RELIABILITY,AVAILABILITY, MAINTAINABILITY AND SAFETY (RAMS)
1 Scope
1.1 This International Standard
– defines RAMS in terms of reliability, availability, maintainability and safety and theirinteraction;
– defines a process, based on the system life cycle and tasks within it, for managing RAMS;– enables conflicts between RAMS elements to be controlled and managed effectively;– defines a systematic process for specifying requirements for RAMS and demonstrating that
these requirements are achieved;– addresses railway specifics;– does not define RAMS targets, quantities, requirements or solutions for specific railway
applications;– does not specify requirements for ensuring system security;– does not define rules or processes pertaining to the certification of railway products against
the requirements of this standard;– does not define an approval process by the safety regulatory authority.
1.2 This International Standard is applicable
– to the specification and demonstration of RAMS for all railway applications and at all levelsof such an application, as appropriate, from complete railway routes to major systemswithin a railway route, and to individual and combined sub-systems and components withinthese major systems, including those containing software; in particular
• to new systems,
• to new systems integrated into existing systems in operation prior to the creation of thisstandard, although it is not generally applicable to other aspects of the existing system,
• to modifications of existing systems in operation prior to the creation of this standard;although it is not generally applicable to other aspects of the existing system;
− at all relevant phases of the life cycle of an application;
− for use by Railway Authorities and railway support industry.
NOTE Guidance on the applicability is given in the requirements of this standard.
2 Normative references
The following referenced documents are indispensable for the application of this document. Fordated references, only the edition cited applies. For undated references, the latest edition ofthe referenced document (including any amendments) applies.
62278/FDIS © IEC – 7 –
IEC 60050(191):1990, International Electrotechnical Vocabulary (IEV) – Chapter 191:Dependability and quality of service
IEC 61508 (all parts), Functional safety of electrical/electronic/programmable electronic safety-related systems
IEC 62279, Railway applications – Communications, signalling and processing systems –Software for railway control and protection systems1
ISO 9001:2000, Quality Management Systems – Requirements
ENV 50129:1998, Railway applications – Safety related electronic systems for signalling
3 Definitions
For the purposes of this standard, the following definitions apply.
3.1apportionmentprocess whereby the RAMS elements for a system are sub-divided between the various itemswhich comprise the system to provide individual targets
3.2assessmentundertaking of an investigation in order to arrive at a judgement, based on evidence, of thesuitability of a product
3.3auditsystematic and independent examination to determine whether the procedures specific to therequirements of a product comply with the planned arrangements, are implemented effectivelyand are suitable to achieve the specified objectives
3.4availabilityability of a product to be in a state to perform a required function under given conditions at agiven instant of time or over a given time interval assuming that the required externalresources are provided
3.5commissioningcollective term for the activities undertaken to prepare a system or product prior todemonstrating that it meets its specified requirements
3.6common cause failurefailure which is the result of an event(s) which causes a coincidence of failure states of two ormore components leading to a system failing to perform its required function
3.7compliancedemonstration that a characteristic or property of a product satisfies the stated requirements.
___________1 To be published.
62278/FDIS © IEC – 8 –
3.8configuration managementdiscipline applying technical and administrative direction and surveillance to identify anddocument the functional and physical characteristics of a configuration item, control change tothose characteristics, record and report change processing and implementation status andverify compliance with specified requirements
3.9corrective maintenancemaintenance carried out after fault recognition and intended to put a product into a state inwhich it can perform a required function
3.10dependent failurefailure of a set of events, the probability of which cannot be expressed as the simple product ofthe unconditional probabilities of the individual events
3.11down timetime interval during which a product is in a down state[IEC 60050(191), modified]
3.12failure causecircumstances during design, manufacture or use which have led to a failure[IEC 60050(191)]
3.13failure modepredicted or observed results of a failure cause on a stated item in relation to the operatingconditions at the time of the failure
3.14failure ratelimit, if this exists, of the ratio of the conditional probability that the instant of time, T, of afailure of a product falls within a given time interval (t, t+∆t) and the length of this interval, ∆t,when ∆t tends towards zero, given that the item is in an up state at the start of the time intervalNOTE For applications where distance travelled or number of cycles of operation is more relevant than time thenthe unit of time may be replaced by the unit of distance or cycles, as appropriate.
3.15fault modeone of the possible states of a faulty item, for a given required function[IEC 60050(191)]
3.16fault tree analysisanalysis to determine which fault modes of the product, sub-products or external events, orcombinations thereof, may result in a stated fault mode of the product, presented in the form ofa fault tree
3.17hazardphysical situation with a potential for human injury and/or damage to environment
62278/FDIS © IEC – 9 –
3.18hazard logdocument in which all safety management activities, hazards identified, decisions made andsolutions adopted are recorded or referenced. Also known as a ”Safety Log”[ENV 50129]
3.19logistic supportoverall resources which are arranged and organised in order to operate and maintain thesystem at the specified availability level at the required life cycle cost
3.20maintainabilityprobability that a given active maintenance action, for an item under given conditions of usecan be carried out within a stated time interval when the maintenance is performed understated conditions and using stated procedures and resources[IEC 60050(191)]
3.21maintenancethe combination of all technical and administrative actions, including supervision actions,intended to retain an item in, or restore it to, a state in which it can perform a required function[IEC 60050(191)]
3.22maintenance policydescription of the inter-relationship between the maintenance echelons, the indenture levelsand the levels of maintenance to be applied for the maintenance of an item[IEC 60050(191)]
3.23missionobjective description of the fundamental task performed by a system
3.24mission profileoutline of the expected range and variation in the mission with respect to parameters such astime, loading, speed, distance, stops, tunnels, etc. in the operational phases of the life cycle
3.25preventive maintenancemaintenance carried out at predetermined intervals or according to prescribed criteria andintended to reduce the probability of failure or the degradation of the functioning of an item[IEC 60050(191)]
3.26Railway Authoritybody with the overall accountability to a Regulator for operating a railway systemNOTE Railway Authority accountabilities for the overall system or its parts and life cycle activities are sometimessplit between one or more bodies or entities. For example:
− the owner(s) of one or more parts of the system assets and their purchasing agents;
62278/FDIS © IEC – 10 –
− the operator of the system;
− the maintainer(s) of one or more parts of the system;
− etc.
Such splits are based on either statutory instruments or contractual agreements. Suchresponsibilities should therefore be clearly stated at the earliest stages of a system life cycle
3.27railway support industrygeneric term denoting supplier(s) of complete railway systems, their sub-systems or compo-nent parts
3.28reliability and maintainability programmedocumented set of time scheduled activities, resources and events serving to implement theorganisation structure, responsibilities, procedures, activities, capabilities and resources thattogether ensure that an item will satisfy given reliability performance and maintainabilityperformance requirements relevant to a given contract or project
3.29RAMSacronym meaning a combination of Reliability, Availability, Maintainability and Safety
3.30reliabilityprobability that an item can perform a required function under given conditions for a given timeinterval (t1, t2)[IEC 60050(191)]
3.31reliability growthcondition characterised by a progressive improvement of a reliability performance measure ofan item with time[IEC 60050(191)]
3.32repairthat part of a corrective maintenance in which manual actions are performed on the item[IEC 60050(191)]
3.33restorationthat event when the item regains the ability to perform a required function after a fault[IEC 60050(191)]
3.34riskprobable rate of occurrence of a hazard causing harm and the degree of severity of the harm
3.35safetyfreedom from unacceptable risk of harm
62278/FDIS © IEC – 11 –
3.36safety casedocumented demonstration that the product complies with the specified safety requirements
3.37safety integritylikelihood of a system satisfactorily performing the required safety functions under all thestated conditions within a stated period of time
3.38safety integrity level (SIL)one of a number of defined discrete levels for specifying the safety integrity requirements of thesafety functions to be allocated to the safety related systems. Safety Integrity Level with thehighest figure has the highest level of safety integrity
3.39Safety Plandocumented set of time scheduled activities, resources and events serving to implement theorganisational structure, responsibilities, procedures, activities, capabilities and resources thattogether ensure that an item will satisfy given safety requirements relevant to a given contractor project
3.40safety regulatory authorityoften a national government body responsible for setting or agreeing the safety requirementsfor a railway and ensuring that the railway complies with the requirements
3.41system life cycleactivities occurring during a period of time that starts when a system is conceived and endwhen the system is no longer available for use, is decommissioned and is disposed of
3.42systematic failuresfailures due to errors in any safety life cycle activity, within any phase, which cause it to failunder some particular combination of inputs or under some particular environmental condition
3.43tolerable riskmaximum level of risk of a product that is acceptable to the Railway Authority
3.44validationconfirmation by examination and provision of objective evidence that the particularrequirements for a specific intended use have been fulfilled
3.45verificationconfirmation by examination and provision of objective evidence that the specifiedrequirements have been fulfilled.NOTE For clarification between verification and validation, see figure 11 and 5.2.9.
62278/FDIS © IEC – 12 –
4 Railway RAMS
4.1 Introduction
4.1.1 This clause provides baseline information on the subject of RAMS and RAMSengineering. The purpose of this clause is to provide the reader with sufficient backgroundinformation to enable the effective application of this standard to railway systems.
4.1.2 Railway RAMS is a major contributor to the Quality of Service provided by a RailwayAuthority. Railway RAMS is defined by several contributory elements; consequently, this clauseis structured as follows:
a) subclause 4.2 examines the relationship between railway RAMS and quality of service;.b) subclauses 4.3 to 4.8 examine aspects of railway RAMS, namely:
– the elements of RAMS;– the factors which influence RAMS and means to achieve RAMS;– risk and safety integrity.
4.1.3 Where possible within this clause, internationally defined terms are used, but where newterms are required or where recognised terms have been made specific in the railway context,these are defined in clause 3 of this standard.
4.1.4 Within this standard, the sequence ”system, sub-system, component” is used todemonstrate the breakdown of any complete application into its constituent parts. The preciseboundary of each term (system, sub-system and component) will depend upon the specificapplication.
4.1.5 A system can be defined as an assembly of sub-systems and components, connectedtogether in an organised way, to achieve specified functionality. Functionality is assigned tosub-systems and components within a system and the behaviour and state of the system ischanged if the sub-system or component functionality changes. A system responds to inputs toproduce specified outputs, whilst interacting with an environment.
4.2 Railway RAMS and quality of service
4.2.1 This subclause introduces the link between RAMS and quality of service for anundertaking.
4.2.2 RAMS is a characteristic of a system’s long term operation and is achieved by theapplication of established engineering concepts, methods, tools and techniques throughout thelife cycle of the system. The RAMS of a system can be characterised as a qualitative andquantitative indicator of the degree that the system, or the sub-systems and componentscomprising that system, can be relied upon to function as specified and to be both availableand safe. System RAMS, in the context of this standard, is a combination of reliability,availability, maintainability and safety designated RAMS.
4.2.3 The goal of a railway system is to achieve a defined level of rail traffic in a given time,safely. Railway RAMS describes the confidence with which the system can guarantee theachievement of this goal. Railway RAMS has a clear influence on the quality with which theservice is delivered to the customer. Quality of Service is influenced by other characteristicsconcerning functionality and performance, for example frequency of service, regularity ofservice and fare structure. This relationship is shown in figure 1.
62278/FDIS © IEC – 13 –
Quality of service
Other attributes Railway RAMS
Figure 1 – Quality of Service and Railway RAMS
4.3 Elements of railway RAMS
4.3.1 This subclause introduces the interaction between RAMS elements, reliability,availability, maintainability and safety, in the context of railway systems.
4.3.2 Safety and availability are inter-linked in the sense that a weakness in either ormismanagement of conflicts between safety and availability requirements may preventachievement of a dependable system. The inter-linking of railway RAMS elements, reliability,availability, maintainability and safety is shown in figure 2.
4.3.3 Attainment of in-service safety and availability targets can only be achieved by meetingall reliability and maintainability requirements and controlling the ongoing, long-term,maintenance and operational activities and the system environment.
4.3.4 Security, as an element that characterises the resilience of a railway system tovandalism and unreasonable human behaviour, can be considered as a further component ofRAMS. However, consideration of security is outside the scope of this standard.
Safety Avaibility
Reliability andmaintainability
Operation andmaintenance
Railway RAMS
Figure 2 – Inter-relation of railway RAMS elements
4.3.5 Technical concepts of availability are based on a knowledge of
a) reliability in terms of
− all possible system failure modes in the specified application and environment;
− the probability of occurrence of each failure or alternatively, the rate of occurrence ofeach failure;
− the effect of the failure on the functionality of the system;
62278/FDIS © IEC – 14 –
b) maintainability in terms of
− time for the performance of planned maintenance;
− time for detection, identification and location of the faults;
− time for the restoration of the failed system (unplanned maintenance);c) operation and maintenance in terms of
− all possible operation modes and required maintenance, over the system life cycle;
− the human factor issues.
4.3.6 Technical concepts of safety are based on a knowledge of
a) all possible hazards in the system, under all operation, maintenance and environmentmodes;
b) the characteristic of each hazard in terms of its severity of consequences;c) safety/safety related failures in terms of
− all system failure modes that could lead to a hazard (safety related failure modes). Thisis a sub-set of all reliability failure modes (4.3.5 a));
− the probability of occurrence of each safety related system failure mode;
− sequence and/or coincidence of events, failures, operational states, environmentconditions, etc. in the application, that may result in an accident. (i.e. a hazard resultingin an accident);
− the probability of occurrence of each of the events, failures, operational states,environment conditions, etc. in the application;
d) maintainability of safety related parts of the system in terms of
− the ease of performing maintenance on those aspects or parts of the system or itscomponents that are associated with a hazard or with a safety related failure mode;
− probability of errors occurring during maintenance actions on those safety related partsof the system;
− time for restoring the system to a safe state;e) system operation and maintenance of safety related parts of the system in terms of
− human factor influence on the effective maintenance of all safety related parts of thesystem and safe operation of the system;
− tools, facilities and procedures for effective maintenance of the safety related parts ofthe system and for safe operation;
− effective controls and measures for dealing with a hazard and mitigating itsconsequences.
4.3.7 Failures in a system, operating within the bounds of an application and environment, willhave some effect on the behaviour of the system. All failures adversely effect the systemreliability whereas only some specific failures will have an adverse effect on safety within theparticular application. Environment may also influence the functionality of the system and inturn the safety of the railway application. These links are shown in figure 3.
62278/FDIS © IEC – 15 –
Failed states/failure modes
Railway system
Functionalstates
Disturbance threatsEffects adverselyaffecting reliability
RAILWAY APPLICATION ENVIRONMENT
Effectsadverselyaffectingsafety
failure modesSafety related
Figure 3 – Effects of failures within a system
4.3.8 A dependable railway system can only be realised through consideration of theinteractions of RAMS elements within a system and the specification and achievement of theoptimum RAMS combination for the system.
4.4 Factors influencing railway RAMS
4.4.1 General
4.4.1.1 This subclause introduces and defines a process to support the identification offactors which influence the RAMS of railway systems, with particular consideration given to theinfluence of human factors. These factors, and their effects, are an input to the specification ofRAMS requirements for systems.
4.4.1.2 The RAMS of a railway system is influenced in three ways: by sources of failureintroduced internally within the system at any phase of the system life cycle (systemconditions), by sources of failure imposed on the system during operation (operatingconditions) and by sources of failure imposed on the system during maintenance activities(maintenance conditions). These sources of failure can interact. This relationship is shown infigure 4 and detailed in figure 5.
RAMS
System conditions Operating conditions Maintenanceconditions
Figure 4 – Influences on RAMS
4.4.1.3 To realise dependable systems, factors which could influence the RAMS of the systemneed to be identified, their effect assessed and the cause of these effects managed throughoutthe life cycle of the system, by the application of appropriate controls, to optimise systemperformance.
4.4.2 Categories of factors
4.4.2.1 This subclause details a process for the definition of those factors which will affect thesuccessful achievement of a system which complies with specified RAMS requirements.
4.4.2.2 At a high level, the factors which influence system RAMS are generic, applying acrossall industrial applications. Figure 5 includes some generic factors which influence transportsystem RAMS. This figure also shows the interaction between these factors. To identifydetailed factors which influence the RAMS of railway systems, each generic influencing factorshall be considered in the context of the specific system.
62278/FDIS © IEC – 16 –
4.4.2.3 An analysis of human factors, with respect to their effect on system RAMS, is inherentwithin the ”systems approach” required by this standard.
4.4.2.4 Human factors can be defined as the impact of human characteristics, expectationsand behaviour upon a system. These factors include the anatomical, physiological andpsychological aspects of humans. The concepts within human factors are used to enablepeople to carry out work efficiently and effectively, with due regard for human needs on issuessuch as health, safety and job satisfaction.
4.4.2.5 Railway applications typically involve a wide range of human groups, frompassengers, operational staff and staff responsible for implementing systems to others affectedby the railway operation, such as car drivers at level crossings. Each is capable of reacting tosituations in different ways. Clearly, the potential impact of humans on the RAMS of a railwaysystem is great. Consequently, the achievement of railway RAMS requires more rigorouscontrol of human factors, throughout the entire system life cycle, than is required in many otherindustrial applications.
4.4.2.6 Humans shall be considered as possessing the ability to positively contribute to theRAMS of a railway system. To achieve this aim, the manner in which human factors caninfluence railway RAMS should be identified and managed throughout the entire life cycle. Thisanalysis should include the potential impact of human factors on railway RAMS within thedesign and development phases of the system.
4.4.2.7 Whilst the need to address human factors within the life cycle is generic, the preciseinfluence of human factors on RAMS is specific to the application under consideration.
4.4.2.8 Generic factors, including those contained in figure 5, should be reviewed in thecontext of the railway system under consideration. The Railway Authority shall specify any non-applicable factors in their call for tenders. Each applicable generic factor shall be assessed anddetailed influencing factors, specific to the application, systematically derived. Human factorissues, a core aspect within an integrated RAMS management process, shall be addressedwithin this assessment.
4.4.2.9 The process of deriving detailed influencing factors shall be supported by the use ofthe two checklists covering railway specific factors (4.4.2.10) and human factors (4.4.2.11), oras an alternative presentation, figure 5.
62278/FDIS
IE
C – 17
–
OPERATING CONDITIONS MAINTENANCE CONDITIONS
AVAILABILITYSAFETY
RAILWAY RAMS
SYSTEM CONDITIONS
Maintainability Technicalcharacteristics
Environmentalconditions Procedures Mission profile
Externaldisturbances
Human correctiveactions mission profile
Change in
Random failureSystematic failure
Humanfactors
Humanerrors
Internaldisturbances
Reconfigurationmodes
Humanfactors
Maintenanceprocedures
Logistics
maintenanceCorrective
maintenancePreventive
maintenanceScheduled
maintenanceConditional
Diagnostics- internal- external
Diagnostics- manual- automatic
Logistics
- Errors inrequirements
- Design and realisationinadequacies
- Manufacturingdeficiencies
- Inherent weaknesses
- Software errors- Operating instruction
deficiencies- Instruction inadequacies- Human errors- Etc.
- Operating modes- Environment- Stress degradation- Wear out- Over stress- Etc.
Figure 5 – Factors Influencing Railway RAMS
62278/FDIS © IEC – 18 –
4.4.2.10 The derivation of detailed railway specific influencing factors should include, but notbe limited to, a consideration of each of the following railway specific factors. It should benoted that the following checklist is non-exhaustive and should be adapted to the scope andpurpose of the application.
a) System operation:
− the tasks which the system has to perform and the conditions in which the tasks have tobe performed;
− the co-existence of passengers, freight, staff and systems within the operatingenvironment;
− system life requirements, including system life expectancy, service intensity and life cyclecost requirements.
b) Environment:
− the physical environment;
− the high level of integration of railway systems within the environment;
− the limited opportunity for testing complete systems in the railway environment.c) Application conditions:
− the constraints imposed by existing infrastructure and systems on the new system;
− the need to maintain rail services during life cycle tasks.d) Operating conditions:
− trackside-based installation conditions;
− trackside-based maintenance conditions;
− the integration of existing systems and new systems during commissioning andoperation.
e) Failure categories:
− the effects of failure within a distributed railway system.
4.4.2.11 The derivation of detailed human influencing factors should include, but not belimited to, a consideration of each of the following human factors. It should be noted that thefollowing checklist is non-exhaustive and should be adapted to the scope and purpose of theapplication.
a) Allocation of system functions between human and machine.b) Effect on human performance within the system of
− the human/system interface;
− the environment, including the physical environment and ergonomic requirements;
− human working patterns;
− human competence;
− the design of human tasks;
− human interworking;
− human feedback process;
− railway organisational structure;
− railway culture;
− professional railway vocabulary;
− problems arising from the introduction of new technology.
62278/FDIS © IEC – 19 –
c) Requirements on the system arising from
− human competence;
− human motivation and aspiration support;
− mitigating the effects of human behavioural changes;
− operational safeguards;
− human reaction time and space.d) Requirements on the system arising from human information processing capabilities,
including:
− human/machine communications;
− density of information transfer;
− rate of information transfer;
− the quality of information;
− human reaction to abnormal situations;
− human training;
− supporting human decision making processes;
− other factors contributing to human strain.e) Effect on the system of human/system interface factors, including:
− the design and operation of the human/system interface;
− the effect of human error;
− the effect of deliberate human rule violation;
− human involvement and intervention in the system;
− human system monitoring and override;
− human perception of risk;
− human involvement in critical areas of the system;
− human ability to anticipate system problems.f) Human factors in system design and development, including:
− human competency;
− human independence during design;
− human involvement in verification and validation;
− interface between human and automated tools;
− systematic failure prevention processes.
4.4.2.12 A diagrammatic approach to the derivation of detailed factors, such as the use ofcause/effect diagrams, is recommended. An example of a much simplified cause/effectdiagram is shown in figure 6.
62278/FDIS © IEC – 20 –
RailwayRAMS
EnvironmentOrganisation/management Documentation
Missionprofil
People Equipement Sytem/operation
maintenance
Figure 6 – Example of a cause/effect diagram
4.4.3 Evaluation of factors
The potential effect of each influencing factor on the RAMS of the railway system underconsideration shall be evaluated at a level appropriate to the railway system underconsideration. This evaluation shall include a consideration of the effect of each factor at eachphase of the life cycle and shall be at a level which is appropriate to the system underconsideration. The evaluation shall address the interaction of associated influencing factors.For human factors, the evaluation shall also consider the effect of each factor in relation toeach other.
4.5 Means to achieve railway RAMS requirements
4.5.1 General
4.5.1.1 The means to achieve railway RAMS requirements relates to controlling the factorswhich influence RAMS throughout the life of the system. Effective control requires theestablishment of mechanisms and procedures to defend against sources of error beingintroduced during the realisation and support of the system. Such defences need to takeaccount of both random and systematic failures.
4.5.1.2 The means used to achieve RAMS requirements are based on the concept of takingprecautions to minimise the possibility of an impairment occurring as a result of an error duringthe life cycle phases. Precaution is a combination of
a) prevention: concerned with lowering the probability of the impairment,b) protection: concerned with lowering the severity of the consequences of the impairment.
4.5.1.3 The strategy to achieve RAMS requirements for the system, including the use ofprevention and/or protection means, shall be justified.
4.5.2 RAMS specification
4.5.2.1 The specification of RAMS requirements is a complex process. Annex A of thisstandard provides an example outline of a RAMS requirements specification, based on theprocess detailed in this standard. Annex B of this standard provides an example outlineprocedure for the definition of a RAMS programme, based on the requirements of thisstandard. Both informative annexes are for guidance only and have been compiled using rollingstock as an example.A list of suitable tools for RAMS analysis is also included in annex B.Selection of an appropriate tool will depend on the system under consideration and on factorssuch as the criticality, novelty, complexity, etc. of the system.
62278/FDIS © IEC – 21 –
4.5.2.2 Table 1 defines RAM failure categories suitable for use in railway applications.
Table 1 – RAM failure categories
Failure category Definition
Significant
(Immobilising failure)
A failure that prevents train movement or causes a delay to service greater than aspecified time and/or generates a cost greater than a specified level
Major
(Service failure)
A failure that
- must be rectified for the system to achieve its specified performance, and
- does not cause a delay or cost greater than the minimum threshold specified for asignificant failure
Minor A failure that
- does not prevent a system achieving its specified performance, and
- does not meet criteria for significant or major failures
4.5.2.3 Suitable parameters to characterise reliability, availability, maintainability, logisticsupport and safety requirements of railway systems are shown in annex C (informative).Specific parameters will depend on the system under consideration. All RAMS parametersused should be agreed between the Railway Authority and the railway support industry. Whereparameters may be expressed in alternative dimensions, conversion factors should beprovided.
4.6 Risk
4.6.1 Risk concept
The concept of risk is the combination of two elements:
– the probability of occurrence of an event or combination of events leading to a hazard, orthe frequency of such occurrences;
– the consequence of the hazard.
4.6.2 Risk analysis
4.6.2.1 Risk analysis shall be performed at various phases of the system life cycle by theauthority responsible for that phase and shall be documented. The documentation shallcontain, as a minimum:
a) analysis methodology;b) assumptions, limitations and justification of the methodology;c) hazard identification results;d) risk estimation results and their confidence levels;e) results of trade-off studies;f) data, their sources and confidence levels;g) references.
62278/FDIS © IEC – 22 –
4.6.2.2 Table 2 provides, in qualitative terms, typical categories of probability or frequency ofoccurrence of a hazardous event and a description of each category for a railway system. Thecategories, their numbers, and their numerical scaling to be applied shall be defined by theRailway Authority, appropriate to the application under consideration.
Table 2 – Frequency of occurrence of hazardous events
Category Description
Frequent Likely to occur frequently. The hazard will be continually experienced
Probable Will occur several times. The hazard can be expected to occur often
Occasional Likely to occur several times. The hazard can be expected to occur several times
Remote Likely to occur sometime in the system life cycle. The hazard can reasonably expected to occur
Improbable Unlikely to occur but possible. It can be assumed that the hazard may exceptionally occur
Incredible Extremely unlikely to occur. It can be assumed that the hazard may not occur
4.6.2.3 Consequence analysis shall be used to estimate the likely impact. Table 3 describestypical hazard severity levels and the consequences associated with each severity level for allrailway systems. The number of severity levels and the consequences for each severity level tobe applied shall be defined by the Railway Authority, appropriate for the application underconsideration.
Table 3 – Hazard severity level
Severity level Consequence to persons or environment Consequence to service
Catastrophic Fatalities and/or multiple severe injuries and/or majordamage to the environment
Critical Single fatality and/or severe injury and/or significantdamage to the environment
Loss of a major system
Marginal Minor injury and/or significant threat to theenvironment
Severe system(s) damage
Insignificant Possible minor injury Minor system damage
4.6.3 Risk evaluation and acceptance
4.6.3.1 This subclause deals with the formation of a "frequency - consequence" matrix forevaluation of the results of risk analysis, risk categorisation, actions for risk reduction orelimination of intolerable risks, and for risk acceptance.
4.6.3.2 Risk evaluation shall be performed by combining the frequency of occurrence of ahazardous event with the severity of its consequence to establish the level of risk generated bythe hazardous event. A "frequency - consequence" matrix is shown in table 4.
62278/FDIS © IEC – 23 –
Table 4 – Frequency - consequence matrix
Frequency of occurrence of ahazardous event
Risk levels
Frequent
Probable
Occasional
Remote
Improbable
Incredible
Insignificant Marginal Critical Catastrophic
Severity levels of hazard consequence
4.6.3.3 Risk acceptance should be based on a generally accepted principle. A number ofprinciples are available that may be utilised. Some examples are as follows (also see annex Dfor more information on these principles):
– As Low As Reasonably Practicable (ALARP principle as practised in UK);– Globalement Au Moins Aussi Bon (GAMAB principle as practised in France). The complete
formulation of this principle is"All new guided transport systems must offer a level of risk globally at least as good as theone offered by any equivalent existing system";
– Minimum Endogenous Mortality (MEM principle as practised in Germany).
Table 5 defines qualitative categories of risk and the actions to be applied against eachcategory. The Railway Authority shall be responsible for defining principle to be adopted andthe tolerability level of a risk and the levels that fall into the different risk categories.
Table 5 – Qualitative risk categories
Risk category Actions to be applied against each category
Intolerable Shall be eliminated
Undesirable Shall only be accepted when risk reduction is impracticable and with the agreement of theRailway Authority or the Safety Regulatory Authority, as appropriate
Tolerable Acceptable with adequate control and with the agreement of the Railway Authority
Negligible Acceptable with/without the agreement of the Railway Authority
4.6.3.4 Table 6 shows an example of risk evaluation and risk reduction/controls for riskacceptance.
62278/FDIS © IEC – 24 –
Table 6 – Typical example of risk evaluation and acceptance
Frequency of occurrence of ahazardous event ∗∗∗∗
Risk levels
Frequent Undesirable Intolerable Intolerable Intolerable
Probable Tolerable Undesirable Intolerable Intolerable
Occasional Tolerable Undesirable Undesirable Intolerable
Remote Negligible Tolerable Undesirable Undesirable
Improbable Negligible Negligible Tolerable Tolerable
Incredible Negligible Negligible Negligible Negligible
Insignificant Marginal Critical Catastrophic
Severity levels of hazard consequence
* Scaling for the frequency of occurrence of hazardous events will depend on the application under consideration(4.6.2.2).
Risk evaluation Risk reduction/control
Unacceptable Shall be eliminated
Undesirable Shall only be accepted when risk reduction is impracticable and with theagreement of the Railway Authority.
Tolerable Acceptable with adequate control and the agreement of the Railway Authority
Negligible Acceptable without any agreement
4.7 Safety integrity
4.7.1 When the level of safety for the application has been set and the necessary riskreduction estimated, based on the results of the risk assessment process, the safety integrityrequirements, for the systems and components of the application, can be derived. Safetyintegrity can be viewed as a combination of quantifiable elements (generally associated withhardware, i.e. random failures) and non-quantifiable elements (generally associated withsystematic failures in software, specification, documents, processes, etc.). External riskreduction facilities and the system risk reduction facilities should match the necessary riskreduction required for the system to meet its target level of safety.
4.7.2 Confidence in the achievement of the safety integrity of a function within a system maybe obtained through the effective application of a combination of specific architecture,methods, tools and techniques. Safety integrity correlates to the probability of failure to achieverequired safety functionality. Functions with greater integrity requirements are likely to be moreexpensive to realise. This standard does not define the correlation between safety integrity andfailure probabilities for railway systems, although it should be noted that a generic correlation isdefined within the IEC 61508 series. The definition of this correlation for railway applications isthe responsibility of the Railway Authority. However, the management process defined withinthis standard is generic and suitable for use with any correlation, as agreed by individualauthorities or jointly by European Railway Authorities.
4.7.3 Safety functions within systems should be implemented using the architecture, methods,tools and techniques defined in other relevant detailed standards. For example, IEC 62279defines methods, tools and techniques to develop software systems and ENV 50129 defines aprocess for the acceptance and approval of electronic railway signalling systems.
62278/FDIS © IEC – 25 –
4.7.4 Safety integrity is basically specified for safety functions. Safety functions should beassigned to safety systems and/or to external risk reduction facilities. This assignment processis iterative, in order to optimise the design and cost of the overall system.
4.7.5 It is the Safety Plan and the RAM Programme which, when implemented effectively, giveconfidence in the ability of the final system to achieve compliance with RAMS requirements.
4.7.6 The following points concerning product safety integrity shall be noted:
a) safety functionality required of a system, and its corresponding safety integrity, isinfluenced by the environment in which the system is used;
b) when a product is developed using methods, tools and techniques appropriate to a specificsafety integrity, claims may be made that the product is a safety integrity level ”X” product.This claim means that the product will exhibit specific functionality, within a statedenvironment, at a certain integrity;
c) figure 7 shows that the use of commercial "off the shelf" products may differ within differentapplications. For example Product A is being used to implement different functions withinSystems 1 and 2. Consequently, the safety integrity required of a product may differbetween applications. Therefore, before applying a product within any system, thelimitations and constraints applying to the functionality and the stated environment of theproduct should be assessed to ensure that they are consistent with the overall requirementsof the system.
System 1
A B
C C
System 2
C C
A
C
B
Systems
CA B
Commercial “off the shelf” products
Figure 7 – Certified products in safety systems
4.7.7 Before applying the concept of SIL, the following requirements should be considered.
a) The adequate level of SIL applicability should be established by safety experts. It isrecommended that no more than 4 levels should be used.
b) A SIL shall only be allocated to an "element", namely a stand-alone equipment whichperforms one or more simple functions and which can be replaced by another oneperforming the same function(s). Generally, such an "element" is often the lowest levelequipment that can be replaced during a first level corrective maintenance operation.
c) Insofar as the environment in which a product will be inserted is of the utmost importance,the extent in terms of SIL to which an off-the-shelf product is certified and what certificationmeans when compared to its safety requirements shall be examined to state whether all theconditions are met for the system under study.
d) A SIL is only addressing an expected level of confidence in the safety for a product. Asexplained in 4.3 of this standard, safety requirements and availability requirements areinter-related in the context of railway transport. The SIL concept does not cover all aspectsof a system and therefore considering SIL alone may not be sufficient (e.g. degradedoperation modes or fall-back states with different safety requirements, etc.).
62278/FDIS © IEC – 26 –
4.8 Fail-safe concept
4.8.1 This standard adopts a broad, risk-management approach to safety. This approach isconsistent with the fail-safe concept, well-established with railway engineers.
4.8.2 From the early days of railways, the inherent fail-safe concept has been used. Theconcept, dependent upon a set of hypotheses, is based on the use of components with well-established failure modes and that a safe condition exists in case of failure of one of its parts.All those components are arranged so that a system, so constructed, cannot allow a morepermissive condition than that existing in the absence of a failure.
4.8.3 The validity of the concept is, in general, based on experience but it has limitedapplicability to the development and use of large, complex systems employing commercialmicroprocessors. The exponential growth in the number of failure combinations to beconsidered when using such components means that a deterministic approach is, generally,not practicable. With such complex systems, the probabilistic approach can be used effectively.
4.8.4 The fail-safe approach may be valid for parts of a system and, like other deterministicapproaches, it is not precluded by this standard. For all approaches, it is necessary to achievecompliance with the specified RAMS requirements for the system.
5 Management of railway RAMS
5.1 General
5.1.1 This clause defines a management process, based on the system life cycle, which willenable the control of RAMS factors specific to railway applications. The process supports the
– definition of RAMS requirements;– assessment and control of threats to RAMS;– planning and implementation of RAMS tasks;– achievement of compliance with RAMS requirements;– on-going monitoring, during the life cycle, of compliance.
5.1.2 Although railway RAMS is the focus of this standard, it is one of many aspects of a totalrailway system. This clause defines a systematic process for RAMS management so that theprocess is one component of an integrated management approach which addresses all aspectsof the complete railway system.
5.1.3 The tolerable safety risk of a railway system for any Railway Authority is dependentupon the safety criteria set by the national Safety Regulatory Authority, or by the RailwayAuthority itself in agreement with the Safety Regulatory Authority. The primary responsibility forassessing, controlling and minimising risk rests with the Railway Authority. In some cases,legislation requires the formal presentation of evidence to demonstrate the adequacy of systemsafety.
62278/FDIS © IEC – 27 –
5.2 System life cycle
5.2.1 The system life cycle is a sequence of phases, each containing tasks, covering the totallife of a system from initial concept through to decommissioning and disposal. The life cycleprovides a structure for planning, managing, controlling and monitoring all aspects of a system,including RAMS, as the system progresses through the phases, in order to deliver the rightproduct at the right price within the agreed time scales. The life cycle concept is fundamental tothe successful implementation of this standard.
5.2.2 A system life cycle, appropriate in the context of railway application, is shown in figure8. For each phase of the life cycle, the main tasks are summarised in figure 9. This figureshows RAMS tasks as components of general project tasks. The general tasks are outside thescope of this standard, but are representative of common industry practice. RAMS taskscontribute to the general project tasks for each phase and requirements for the RAMS tasksare detailed in subsequent clauses of this standard.
62278/FDIS © IEC – 28 –
Concept
System definition andapplication conditions
Risk analysis
System requirements
Apportionment ofsystem requirements
Design andimplementation
Manufacture
Installation
System validation(including safety acceptance
and commissioning)
System acceptance
Operation andmaintenance
Performancemonitoring
Modificationand retrofit
De-commissioningand disposal
Re-apply life cycle(See note 1)
14
131112
10
9
8
7
6
5
4
3
2
1
(See note 2)Re-apply risk analysis
NOTE 1 The phase at which a modification enters the life cycle will be dependent upon both the system beingmodified and the specific modification under consideration.
NOTE 2 Risk analysis may have to be repeated at several stages of the life cycle (see item d) of 6.3.1).
Figure 8 – System life cycle
62278/FDIS IEC –
62278/FDIS
IE
C – 29 –
LIFE CYCLE PHASE PHASE RELATED GENERAL TASKS PHASE RELATED RAM TASKS PHASE RELATED SAFETY TASKS
1. Concept • Establish scope and purpose of railway project
• Define railway project concept
• Undertake financial analysis and feasibilitystudies
• Establish management
• Review previously achieved RAMperformance
• Consider RAM implications of project
• Review previously achieved safetyperformance
• Consider safety implications of project
• Review safety policy and safety targets
2. System definitionand applicationconditions
• Establish system mission profile
• Prepare system description
• Identify operation and maintenance strategies
• Identify operating conditions
• Identify maintenance conditions
• Identify influence of existing infrastructureconstraints
• Evaluate past experience data for RAM
• Perform preliminary RAM analysis
• Set RAM policy
• Identify long-term operation andmaintenance conditions
• Identify influence on RAM of existinginfrastructure constraints
• Evaluate past experience data for safety
• Perform preliminary hazard analysis
• Establish Safety Plan (overall)
• Define tolerability of risk criteria
• Identify influence on safety of existinginfrastructure constraints
3. Risk analysis(see note 6)
• Undertake project related risk analysis • Perform system hazard and safety riskanalysis
• Set up Hazard Log
• Perform risk assessment
4. Systemrequirements
• Undertake requirements analysis
• Specify system (overall requirements)
• Specify environment
• Define system demonstration and acceptancecriteria (overall requirements)
• Establish Validation Plan
• Establish management, quality and organisationrequirements
• Implement change control procedure
• Specify system RAM requirements(overall)
• Define RAM acceptance criteria (overall)
• Define system functional structure
• Establish RAM programme
• Establish RAM management
• Specify system safety requirements (overall)
• Define safety acceptance criteria (overall)
• Define safety related functionalrequirements
• Establish safety management
Figure 9 – Project phase related tasks (sheet 1 of 4)
62278/FDIS IEC –
62278/FDIS
IE
C – 30 –
LIFE CYCLE PHASE PHASE RELATED GENERAL TASKS PHASE RELATED RAM TASKS PHASE RELATED SAFETY TASKS
5. Apportionment ofsystemrequirements
• Apportion system requirements
− Specify sub-system and componentrequirements
− Define sub-system and componentacceptance criteria
• Apportion system RAM requirements
− Specify sub-system and componentRAM requirements
− Define sub-system and componentRAM acceptance criteria
• Apportion system safety targets andrequirements
− Specify sub-system and componentsafety requirements
− Define sub-system and componentsafety acceptance criteria
• Update system Safety Plan
6. Design andimplementation
• Perform planning
• Perform design and development
• Perform design analysis and testing
• Perform design verification
• Perform implementation and validation
• Perform design of logistic support resources
• Implement RAM Programme by review,analysis, testing and data assessment,covering:
− reliability and availability
− maintenance and maintainability
− optimal maintenance policy
− logistic support
• Undertake Programme control, covering:
− RAM Programme management
− control of sub-contractors andsuppliers
• Implement Safety Plan by review, analysis,testing and data assessment, addressing:
− Hazard Log
− hazard analysis and risk assessment
• Justify safety related design decisions
• Undertake Programme control, covering:
− safety mnagement
− control of sub-contractors and suppliers
• Prepare Generic Safety Case
• Prepare (if appropriate) Generic ApplicationSafety Case
7. Manufacturing • Perform production planning
• Manufacture
• Manufacture and test sub-assembly ofcomponents
• Prepare documentation
• Establish training
• Perform environmental stress screening
• Perform RAM improvement testing
• Commence Failure Reporting Analysisand Corrective Action System (FRACAS)
• Implement Safety Plan by review, analysis,testing and data assessment
• Use Hazard Log
Figure 9 – Project phase related tasks (sheet 2 of 4)
62278/FDIS IEC –
62278/FDIS
IE
C – 31 –
LIFE CYCLE PHASE PHASE RELATED GENERAL TASKS PHASE RELATED RAM TASKS PHASE RELATED SAFETY TASKS
8. Installation • Assemble system
• Install system
• Start maintainer training
• Establish spare parts and tool provision
• Establish Installation Programme
• Implement Installation Programme
9. System validation(including safetyacceptance andcommissioning)
• Commission
• Perform probationary period of operation
• Undertake training
• Perform RAM demonstration • Establish Commissioning Programme
• Implement Commissioning Programme
• Prepare Application Specific Safety Case
10. System acceptance • Undertake acceptance procedures, based onacceptance criteria
• Compile evidence for acceptance
• Entry into service
• Continue probationary period of operation (ifappropriate)
• Assess RAM demonstration • Assess Application Specific Safety Case
11. Operation andmaintenance
• Long-term system operation
• Perform On Going Maintenance
• Undertake On Going Training
• On-going procurement of spare parts andTools
• Perform on-going reliability-centredmaintenance logistic support
• Undertake on-going safety-centredmaintenance
• Perform on-going safety performancemonitoring and Hazard Log maintenance
12. Performancemonitoring
• Collect operational performance statistics
• Acquire, analyse and evaluate data
• Collect, analyse, evaluate and useperformance and RAM statistics
• Collect, analyse, evaluate and useperformance and safety statistics
13. Modification andretrofit
• Implement change request procedures
• Implement modification and retrofit procedures
• Consider RAM implications formodification and retrofit
• Consider safety implications for modificationand retrofit
14. Decommissioningand disposal
• Plan decommissioning and disposal
• Undertake decommissioning
• Undertake disposal
• No activity for RAM • Establish Safety Plan
• Perform hazard analysis and riskassessment
• Implement Safety Plan
Figure 9 – Project phase related tasks (sheet 3 of 4)
62278/FDIS IEC –
62278/FDIS
IE
C – 32 –
NOTE 1 Change control or configuration management activity applies to all project phases.
NOTE 2 Verification and validation activities apply within most life cycle phases and are included in the main text.
NOTE 3 For RAM, the term “RAM Programme” is in common use and is adopted by this standard. For safety, the term “Safety Plan” is in common use and is adopted by thisstandard.
NOTE 4 Note that the scope of this standard is limited to RAMS and does not address all systems assurance activities. However, it is necessary to ensure the synchronisationbetween RAMS phases and project related phases, and to agree on the conditions for passing from one phase to another, from RAMS point of view.
NOTE 5 Activities within phases 9 and 10 may be integrated, depending upon the application under consideration.
NOTE 6 Risk analysis may have to be repeated at several stages (see 4.6.2 and 6.3.1d)).
Figure 9 – Project phase related tasks (sheet 4 of 4)
62278/FDIS IEC – 33 –
5.2.3 This standard acknowledges the balance between the RAMS performance of a systemand the costs of development and ownership of the system, known as life cycle costs. Thisstandard requires a consideration of the life cycle costs associated with the RAMS aspects of asystem. However, it does not dictate solutions to RAMS issues on the basis of cost, as this isthe responsibility of the Railway Authority.
5.2.4 Clause 6 and its subclauses define the objectives, requirements, inputs anddeliverables for RAMS tasks in a consistent format, and within an overall project context, foreach life cycle phase.
5.2.5 The process supports procurement by providing a comprehensive sequence of taskswithin life cycle phases. This provides a basis for the informed contracting of either individualRAMS tasks or a combination of tasks within an integrated management process.Responsibilities for carrying out the tasks will depend on the system under consideration andthe contract conditions applicable. Some general guidelines for establishing theseresponsibilities are given in annex E.
5.2.6 This standard represents the system life cycle sequentially. This representation showsindividual phases and the links between phases. Other life cycle representations arewidespread within industry and include the ”V” model.
5.2.7 A ”V” representation of the life cycle contained within this standard is shown in figure10. The top-down branch (left side) is generally called design and development and is arefining process ending with the manufacturing of system components. The bottom-up branch(right side) is related to the assembly, the installation, the receipt and then the operation of thewhole system.
5.2.8 The "V" representation assumes that the activities of acceptance are intrinsically linkedto the design and development activities insofar as what is actually designed has to be finallychecked in regard to the requirements. So the validation activities for acceptance at variousstages of a system are based on the specification of the system and should be planned in theearlier stages, i.e. starting at the corresponding design and development phases of the lifecycle. Such a link is shown in figure 11.
5.2.9 This representation is effective in showing verification and validation tasks within the lifecycle. The objective of verification is to demonstrate that, for the specific inputs, thedeliverables of each phase meet in all respects the requirements of that phase. The objectiveof validation is to demonstrate that the system under consideration, at any step of itsdevelopment and after its installation, meets its requirements in all respects.
5.2.10 In this standard, verification tasks are included within each life cycle phase. Althoughthis standard is concerned with system assurance in the context of RAMS, verification andvalidation (V&V) tasks are integral to the overall demonstration of systems assurance.Consequently, RAMS V&V contributes to overall system assurance V&V.
62278/FDIS
IE
C – 34 –
Risk analysis 3
System requirements 4
Apportionment ofsystem requirements
5
Design andimplementation
6
Manufacture 7
Concept 1
System definition and application conditions
2System acceptance
10 De-commissioningand disposal
1411maintenance
Operation and
Installation 8
System validation(including safety acceptance
and commissioning)
9
Figure 10 – The "V" representation
62278/FDIS © IEC – 35 –
System requirements
Verification Verification
Validation
Sequential representationof the life cycle
“V” reprensentationof the life cycle
Apportionment System validation
System acceptance
Verification
Verification
Verification
Verification
Validation
System requirements
System validation
Sytem acceptance
Apportionment
NOTE Subclause 5.2.9 provides additional information on the role of verification and validation. Validation isshown to include system acceptance block because some validation tasks may be covered in that phase (also see6.9.1 and 6.10.1)
Figure 11 – Verification and validation
5.3 Application of this standard
5.3.1 This subclause gives requirements to provide a flexible and effective application of thisstandard to railway systems, in terms of size, complexity and cost.
5.3.2 The requirements defined in this standard are generic and are applicable to all types ofrailway systems. The Railway Authority shall define the application of the requirements of thisstandard to the system under consideration. This assessment shall be based on theapplicability of the requirements to the particular system. Particular care is required during theassessment of the task sequences undertaken in phase 9 (System validation) and phase 10(System acceptance).
5.3.3 In cases of renewal of a system, there is often a "mixed phase" stage where theoperation with the existing and the renewed systems is mixed, or that they are operated at thesame time. In such cases, safety study shall specifically address the possible effects ofinteraction between the existing and the renewed systems.
5.3.4 The application of this standard shall be adapted to the specific requirements of thesystem under consideration. The assessment of the application of this standard to the systemunder consideration shall:
62278/FDIS © IEC – 36 –
a) specify the life cycle phases which are required to realise the system under consideration,providing a justification for the life cycle phases specified and demonstrating that the tasksundertaken within these life cycle phases comply with the principles of the requirements ofthis standard;
b) specify the mandatory activities and requirements of each required life cycle phase, usingfigure 9 and the relevant phase related information of clause 6 as a checklist, including:
− the scope of each requirement in relation to the system under consideration;
− the methods, tools and techniques required against each requirement and the scopeand depth of their application;
− the verification and validation activities required against each requirement and thescope of their application;
− all supporting documentation.c) justify any deviation from the activities and requirements of the standard;d) justify the adequacy of the tasks chosen for the application under consideration.
5.3.5 Within all applications of this standard, the following requirements are mandatory:
a) responsibilities for carrying out all RAMS tasks within each phase of the life cycle, includingthe interfaces between associated tasks, shall be defined and agreed for the system underconsideration;
b) all personnel with responsibilities within the RAMS management process shall becompetent to discharge those responsibilities;
c) the establishment and implementation of the RAM Programme and Safety Plan areessential components in the realisation of dependable systems. Whilst the content of theseplanning documents will be specific to the system under consideration, many RAMS taskswill require similar analysis activities. However, the constraints on these activities may bedifferent. For RAM-focused tasks, cost considerations are likely to be the prime driver,whereas for safety-focused tasks, it is the avoidance of accidents and incidents. Within thiscontext, RAMS requirements can conflict, as the economic consequences pertaining toRAMS may be different, depending upon the requirements of the Railway Authority.Recognition of the need to identify and manage RAMS conflicts shall be included withinRAMS planning documents, along with details of all RAMS analysis, as the depth ofanalysis activities may vary between RAMS tasks;
d) the requirements of this standard shall be implemented within the business processes,supported by a Quality Management System (QMS) compliant with the requirements ofISO 9001 appropriate for the system under consideration.
e) an adequate and effective configuration management system shall be established andimplemented, addressing RAMS tasks within all life cycle phases. The scope ofconfiguration management will depend on the system under consideration, but shallnormally include all system documentation and all other system deliverables.
5.3.6 Clause 6 of this standard elaborates the means to ensure achievement of RAMSrequirements through minimising the effects of any impairments and controlling the factorsdiscussed in clause 4, by defining a management process based on the system life cycle.Methods, tools and techniques appropriate to engineering dependable systems are presentedin other standards (see annex B). It is important to note that the choice of methods, tools andtechniques, and the depth and scope of their application and that of the documentation, shallbe commensurate with the requirements of the system under consideration. These should beagreed between the Railway Authority and the supplier for the system under consideration.A general overview of the manner in which these different aspects relate to support RAMSengineering and management is shown in figure 12.
62278/FDIS © IEC – 37 –
5.3.7 The requirements detailed in this standard are written in order to support an auditprocess. The Railway Authority and the railway support industry for the system underconsideration shall agree and implement an audit plan which addresses the application of therequirements of this standard, as adapted to the system.
RAMSTheory/Maths
RAMSMethods/Techniques
RAMSprocedures
RAMS engineering"tool box"
ProcessImplementation
Education andtraining
Engineer competence
RAMSPhase/Task
INPUT OUTPUTSystemrealisationprocess
Figure 12 – RAMS engineering and management implementedwithin a system realisation process
6 RAMS life cycle
This clause details objectives, requirements, deliverables and verification and validationactivities to be undertaken throughout each life cycle phase. The scope and application of therequirements shall be assessed and adapted to meet the particular requirements of the systemunder consideration. For further information on this topic, see 5.3.
6.1 Phase 1: Concept
6.1.1 Objectives
The objective of this phase shall be to develop a level of understanding of the system sufficientto enable all subsequent RAMS life cycle tasks to be satisfactorily performed.
6.1.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirements of the phase, for example the scope and purposestatements for the project.
6.1.3 Requirements
6.1.3.1 Requirement 1 of this phase shall be to acquire, in the context of RAMS performance,an understanding of
a) the scope, context and purpose of the system;
62278/FDIS © IEC – 38 –
b) the environment of the system, including:– physical issues;– potential system interface issues;– social issues;– political issues;– legislative issues;– economical issues;
c) the general RAMS implications of the system.
6.1.3.2 Requirement 2 of this phase shall be to review
a) the RAMS implications of any financial analysis of the system;b) the RAMS implications of any system feasibility studies.
6.1.3.3 Requirement 3 of this phase shall be to identify sources of hazards which could affectthe RAMS performance of the system, including:
– interaction with other systems;– interaction with humans.
6.1.3.4 Requirement 4 of this phase shall be to obtain information about
a) previous RAMS requirements and past RAMS performance of similar and/or relatedsystems;
b) identified sources of hazards to RAMS performance;c) current Railway Authority safety policy and targets;d) safety legislation.
6.1.3.5 Requirement 5 of this phase shall be to define the scope of the managementrequirements for subsequent system life cycle RAMS tasks.
6.1.4 Deliverables
6.1.4.1 The results from this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.1.4.2 The deliverables shall include a management structure adequate to implement theRAMS requirements of life cycle phases 2, 3 and 4
6.1.4.3 The deliverables from this phase are a key input to subsequent life cycle phases.
6.1.5 Verification
The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to RAMS tasks within this phase;
b) assessment of the adequacy of the system environment statement defined underRequirement 1;
62278/FDIS © IEC – 39 –
c) assessment of the completeness of the hazard source listing defined under Requirement 3;d) assessment of the adequacy of the methods, tools and techniques used within the phase;e) assessment of the competence of all personnel undertaking tasks within the phase.
6.2 Phase 2: System definition and application conditions
6.2.1 Objectives
The objectives of this phase are to
a) define the mission profile of the system;b) define the boundary of the system;c) establish the application conditions influencing the characteristics of the system;d) define the scope of system hazard analysis;e) establish the RAMS policy for the system;f) establish the Safety Plan for the system;
insofar as they affect the potential RAMS performance of the system.
6.2.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirements of the phase, including the deliverables of phase 1.
6.2.3 Requirements
6.2.3.1 Requirement 1 of this phase shall be to define
a) the system mission profile, including:– performance requirements;– RAMS targets;– long-term operating strategy and conditions;– long-term maintenance strategy and conditions;– system life considerations, including life cycle costing issues;– logistic considerations;
b) the system boundary, including:– interfaces with physical environment;– interfaces with other technological systems;– interfaces with humans;– interfaces with other Railway Authorities;
c) the scope of application conditions influencing the system, including:– constraints imposed by existing infrastructure;– system operating conditions;– system maintenance conditions;
62278/FDIS © IEC – 40 –
– logistic support considerations;– review of past experience data for similar systems;
d) the scope of the system hazard analysis, including the identification of– hazards inherent within the process to be controlled;– environmental hazards;– security hazards;– the influence of external events;– the boundaries of the system to be analysed;– the influence on RAMS of existing infrastructure constraints.
6.2.3.2 Requirement 2 of this phase shall be to perform
a) preliminary RAM analysis to support targets;b) preliminary hazard identification to
– identify sub-systems associated with identified hazards;– identify types of accident initiating events that need to be considered, including
component failure, procedural faults, human error and dependent failure mechanisms;– define initial risk tolerability criteria.
6.2.3.3 Requirement 3 of this phase shall be to establish the general RAMS policy for thesystem, including requirements of safety concept and the Railway Authority's policy forresolving any conflicts arising between "availability" and "safety".
6.2.3.4 Requirement 4 of this phase shall be to establish the Safety Plan for the system. TheSafety Plan shall be agreed by the Railway Authority and the railway support industry for thesystem under consideration and shall be implemented, reviewed and maintained throughout thelife cycle of the system. The Safety Plan should include
a) the policy and strategy for achieving safety;b) the scope of the plan;c) a description of the system;d) details of roles, responsibilities, competencies and relationships of bodies undertaking
tasks within the life cycle;e) description of the system life cycle and safety tasks to be undertaken within the life cycle
along with any dependencies;f) the safety analysis, engineering and assessment processes to be applied during the life
cycle, including processes for– ensuring an appropriate degree of personnel independence in tasks, commensurate
with the risk of the system;– hazard identification and analysis;– risk assessment and on-going risk management;– risk tolerability criteria;– the establishment and on-going review of the adequacy of the safety requirements;– system design;– verification and validation;– safety assessment, to achieve compliance between system requirements and
realisation;
62278/FDIS © IEC – 41 –
– safety audit, to achieve compliance of the management process with the Safety Plan;– safety assessment to achieve compliance between sub-system and system safety
analysis;g) details of all safety related deliverables from the life cycle, including:
– documentation;– hardware;– software;
h) a process to prepare system Safety Cases;i) a process for the safety approval of the system;j) a process for safety approval of system modifications;k) a process for analysing operation and maintenance performance to ensure realised safety
is compliant with requirements;l) a process for the maintenance of safety-related documentation, including a Hazard Log;m) interfaces with other related programmes and plans;n) constraints and assumptions made in the plan;o) subcontractor management arrangements.p) requirements for periodic safety audit, safety assessment and safety review, throughout the
life cycle and appropriate to the safety relevance of the system under consideration,including any personnel independence requirements.
6.2.4 Deliverables
6.2.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.2.4.2 The deliverables shall include the RAMS Policy for the system.
6.2.4.3 The deliverables shall include the Safety Plan for the system.
6.2.4.4 The deliverables from this phase form a key input to subsequent life cycle phases.
6.2.5 Verification
6.2.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) RAMS aspects of the phase 2 deliverables shall be verified against the phase 1deliverables, in particular, the RAMS Policy shall be assessed for compliance against thesystem requirements defined in phase 1;
c) the completeness of the RAM analysis and hazard identification process shall be assessed;d) assessment of the adequacy of the Safety Plan, including a review of the adequacy of any
data sources included within the Safety Plan;e) assessment of the adequacy of the methods, tools and techniques used within the phase;
62278/FDIS © IEC – 42 –
f) assessment of the competence of all personnel undertaking tasks within the phase.
6.2.5.2 Any errors or shortfalls may require the re-application of some or all of the activities ofone or more previous life cycle phases.
6.3 Phase 3: Risk analysis
NOTE Risk analysis may need to be repeated at several stages of the life cycle (see item d) of 6.3.1 below).
6.3.1 Objectives
The objectives of this phase are to
a) identify hazards associated with the system;b) identify the events leading to the hazards;c) determine the risk associated with the hazards;d) establish a process for on-going risk management.
6.3.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirements of the phase and in particular, the deliverables producedin phase 2.
6.3.3 Requirements
6.3.3.1 Requirement 1 of this phase shall be to
a) systematically identify and prioritise all reasonably foreseeable hazards associated with thesystem in its application environment, including hazards arising from– system normal operation;– system fault conditions;– system emergency operation;– system misuse;– system interfaces;– system functionality;– system operation, maintenance and support issues;– system disposal considerations;– human factors;– occupational health issues;– mechanical environment;– electrical environment;– natural environment to cover such matters as snow, floods, storms, rain, landslides,
etc.;b) identify the sequence of events leading to hazards;c) evaluate the frequency of occurrence of each hazard (see table 2);
62278/FDIS © IEC – 43 –
d) evaluate the likely severity of the consequences of each hazard (see table 3);e) evaluate the risk to the system for each hazard.
6.3.3.2 Requirement 2 of this phase shall be to determine and classify the acceptability of therisk associated with each identified hazard, having considered the risk in terms of any conflictswith availability and life cycle cost requirements of the system.
6.3.3.3 Requirement 3 of this phase shall be to establish a Hazard Log as the basis for on-going risk management. The Hazard Log shall be updated, whenever a change to any identifiedhazard occurs or a new hazard is identified, throughout the life cycle. The Hazard Log shallinclude details of
a) the aim and purpose of the Hazard Log;b) each hazardous event and contributing components;c) likely consequences and frequencies of the sequence of events associated with each
hazard;d) the risk of each hazard;e) risk tolerability criteria for the application;f) the measures taken to reduce risks to a tolerable level, or remove, the risk for each
hazardous event;g) a process to review risk tolerability;h) a process to review the effectiveness of risk reduction measures;i) a process for on-going risk and accident reporting;j) a process for management of the Hazard Log;k) the limits of any analysis carried out;l) any assumptions made during the analysis;m) any confidence limits applying to data used within the analysis;n) the methods, tool and techniques used;o) the personnel, and their competencies, involved in the process.
6.3.4 Deliverables
6.3.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.3.4.2 The results of the risk analysis shall be recorded within the Hazard Log.
6.3.4.3 The deliverables from this phase form a key input to subsequent life cycle phases.
62278/FDIS © IEC – 44 –
6.3.5 Verification
6.3.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) the phase 3 deliverables shall be verified against the phase 2 deliverables;c) assessment of the completeness of the risk assessment;d) assessment of the risk acceptability classification;e) assessment of the suitability of the Hazard Log process for the system under consideration;f) assessment of the adequacy of the methods, tools and techniques used within the phase;g) assessment of the competence of all personnel undertaking tasks within the phase.
6.3.5.2 Any errors or shortfall may require the re-application of some or all of the activitiesof one or more previous life cycle phases.
6.4 Phase 4: System requirements
6.4.1 Objectives
The objectives of this phase are to
a) specify the overall RAMS requirements for the system;b) specify the overall demonstration and acceptance criteria for RAMS for the system;c) establish the RAM Programme for controlling RAM tasks during subsequent life cycle
phases.
6.4.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirements of the phase and in particular, the deliverables of phase 2and phase 3.
6.4.3 Requirements
6.4.3.1 Requirement 1 of this phase shall be to specify (with reference to 6.2.3.1) the overallRAMS requirements for the total system. The RAMS requirements, for the system underconsideration, shall include
– definition of the system and boundaries;– mission profile;– functional requirements and supporting performance requirements, including safety
functional requirements and safety integrity requirements for each safety function;– logistic support requirements;– interfaces;– application environment;– tolerable risk levels for identified hazards;
62278/FDIS © IEC – 45 –
– external measures necessary to achieve the requirements;– system support requirements;– details of the limits of the analysis;– details of any assumptions made.
6.4.3.2 Requirement 2 of this phase shall be to specify (with reference to 6.2.3.3) the overallrequirements for achieving compliance with RAMS requirements for the system, including
– acceptance criteria for the overall RAMS requirements;– demonstration and acceptance process for the overall RAMS requirements facilitated by the
system RAMS validation plan, which should include
• a description of the system;
• the RAMS validation principles to be applied to the system;
• the RAMS tests and analysis to be carried out for the validation including details of therequired environment, tools, facilities etc.;
• the validation management structure including requirements for personnel independence;
• details of the validation programme (sequence and schedule);
• procedures for dealing with non-compliance.
6.4.3.3 Requirement 3 of this phase shall be to establish the detailed RAM Programme for theremaining life cycle tasks (with reference to 6.2.3.3). The RAM Programme shall include thetasks which are judged to be the most effective to the attainment of the RAM requirements forthe system under consideration. The RAM Programme shall be agreed by the Railway Authorityand the railway support industry for the system under consideration and shall be implementedthroughout the life cycle of the system. Within the RAM Programme, consideration should begiven to including the following tasks:
a) management, including details of– the policy and strategy for achieving RAM requirements;– the scope of the programme;– a description of the system;– the system life cycle and RAM tasks and processes to be undertaken within the life
cycle, specifically the order of RAM tasks to ensure maximum benefit to system design;– the roles, responsibilities, competencies and relationships of organisations undertaking
tasks within the life cycle;– A Failure Reporting Analysis and Corrective Action System (FRACAS) to be applied to
the system from phase 7 of the life cycle (by the Railway Authority and the railwaysupport industry, as appropriate), with records including:
• technical data on system;
• reason for maintenance action;
• type of maintenance action;
• man-hours and elapsed time for maintenance action;
• maintenance down time;
• number and skill level of personnel;
• spare parts used;
62278/FDIS © IEC – 46 –
• cost of consumables;
• reporting and corrective action;– the arrangements to ensure co-ordination of individual RAM elements;– details of all RAM related deliverables from the life cycle;– details of RAM acceptance tasks;– interfaces with other related programmes and plans;– constraints and assumptions made in the RAM programme;– subcontractor management arrangements;
b) reliability, including:– reliability analysis and prediction, including:
• functional analysis and system failure definition;
• top down analysis, for example fault tree analysis and block diagram analysis;
• bottom up analysis, for example Failure Modes Effects Analysis (FMEA);
• common cause failure or multiple failure analysis;
• sensitivity analysis and trade-off studies;
• reliability apportionment;
• human machine interface analysis;
• stress analysis;
• “worst case” prediction and tolerance analysis;– reliability planning, including:
• reliability design review programme;
• component reliability assurance programme;
• software quality/reliability assurance programme;– reliability testing, including:
• reliability growth testing, based on failure generation;
• reliability demonstration testing, based on expected failure modes;
• environmental stress screening;
• life testing of components;
• system life testing during early operation.
• reliability data acquisition and assessment;
• data analysis for reliability improvement;c) maintainability, including:
– maintainability analysis and prediction, including:
• maintainability analysis and verification;
• maintenance task analysis;
• ease-of-maintenance studies and testing;
• human factors maintainability considerations;
62278/FDIS © IEC – 47 –
– maintainability planning, including:
• maintainability design review programme;
• establishment of the maintenance strategy;
• review of reliability centred maintenance options;
• software maintenance programme;– logistic support evaluation including:
• definition of maintenance requirements;
• definition of spares policy and support resource;
• maintenance personnel and facilities;
• personnel safety precautions;
• system support requirements;
• training programme requirements;
• system transportation, packaging, handling and storage conditions;– maintainability data acquisition and assessment;– data analysis for maintainability improvement;
d) availability, including:– availability analysis;– sensitivity analysis and trade-off studies;– availability demonstration during early operation;– availability data acquisition and assessment;– data analysis for availability improvement and prediction.
6.4.3.4 Requirement 4 of this phase shall be to amend the Safety Plan to ensure that allfuture planned tasks are consistent with the system’s emergent RAMS requirements.
6.4.4 Deliverables
6.4.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.4.4.2 The phase shall produce an updated Safety Plan and Acceptance Plan.
6.4.4.3 The deliverables from this phase are an input to subsequent life cycle phases.
6.4.5 Verification
6.4.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) system requirements shall be verified against the deliverables produced within phase 2 andphase 3, including life cycle costings;
c) safety requirements shall be verified against any safety targets and safety policies of theRailway Authority;
62278/FDIS © IEC – 48 –
d) RAM requirements shall be verified against any RAM targets and RAM policies of theRailway Authority;
e) assessment of the adequacy and completeness of the Acceptance Plan and the ValidationPlan;
f) assessment of the adequacy of the RAM Programme, including a review of the adequacy ofany data sources used;
g) assessment of the methods, tools and techniques used within the phase;h) competence assessment of personnel undertaking tasks within the phase.
6.4.5.2 Any errors or shortfall may require the re-application of some or all of the activities ofone or more previous life cycle phases.
6.5 Phase 5: Apportionment of system requirements
6.5.1 Objectives
The objectives of this phase are to
a) apportion the overall RAMS requirements for the system to designated sub-systems,components and external facilities;
b) define the RAMS acceptance criteria for the designated sub-systems, components andexternal facilities.
6.5.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirements of the phase and in particular, all deliverables produced inphase 4.
6.5.3 Requirements
6.5.3.1 Requirement 1 of this phase shall be to
a) allocate functional requirements to designated sub-systems, components and externalfacilities;
b) allocate safety requirements to designated sub-systems, components and external riskreduction facilities;
c) specify the designated sub-systems, components and external facilities to achievecomplete system RAM requirements, including the impact of common cause and multiplefailures;
d) review the RAM programme.
6.5.3.2 Requirement 2 of this phase shall be to specify requirements for compliance with sub-system, component and external facilities requirements, including:
– acceptance criteria for sub-system, component and external facilities requirements;– demonstration and acceptance processes and procedures for sub-system, component and
external facilities requirements.
62278/FDIS © IEC – 49 –
6.5.3.3 Requirement 3 of this phase shall be to review and update the Safety Plan and theValidation Plan to ensure that planned tasks are consistent with the requirements of the systemfollowing apportionment. Key areas of concern include requirements for personnelindependence and the control of system interfaces where safety functionality may becompromised.
6.5.4 Deliverables
6.5.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.5.4.2 This phase shall produce an updated Safety Plan.
6.5.4.3 The documents resulting from this phase shall include the allocated systemrequirements to the designated sub-systems, components and external facilities.
6.5.4.4 The deliverables from this phase form a key input to subsequent life cycle phases.
6.5.5 Verification
6.5.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification of system, sub-system, component and external facility requirements againstthe deliverables produced in phase 4, and including a review of the requirements againstthe life cycle cost for the system;
c) the architecture for the total combination of designated sub-systems, components andexternal facilities shall be verified to ensure it complies with the RAMS requirements for thetotal system;
d) the RAMS requirements for sub-system, component and external facilities shall be verifiedto ensure that they are traceable to the RAMS requirements for the system;
e) the RAMS requirements for sub-system, component and external facilities shall be verifiedto ensure completeness and consistency between functions;
f) the revised Safety Plan and Validation plan shall be verified to ensure its continuedapplicability;
g) assessment of the adequacy of the methods, tools and techniques used within the phase;h) assessment of the competence of all personnel undertaking tasks within the phase.
6.5.5.2 Any errors or shortfall may require the re-application of some or all of the activities ofone or more previous life cycle phases.
62278/FDIS © IEC – 50 –
6.6 Phase 6: Design and implementation
6.6.1 Objectives
The objectives of this phase are to
a) create sub-systems and components conforming to RAMS requirements;b) demonstrate sub-systems and components conform to RAMS requirements;c) establish plans for future life cycle tasks involving RAMS.
6.6.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirement, and in particular the deliverables produced in phase 4 andphase 5.
6.6.3 Requirements
6.6.3.1 Requirement 1 of this phase shall be to design the sub-systems and components tomeet RAMS requirements.
6.6.3.2 Requirement 2 of this phase shall be to realise the design of the sub-systems andcomponents to meet RAMS requirements.
6.6.3.3 Requirement 3 of this phase shall be to establish plans, in the context of RAMS, forfuture life cycle tasks, including:
– installation;– commissioning;– operation and maintenance, including definition of operation and maintenance procedures;– data acquisition and assessment during operation.
6.6.3.4 Requirement 4 of this phase shall be to define, verify and establish a manufacturingprocess capable of producing RAMS-validated sub-systems and components, givingconsideration to the use of
– environmental stress screening;– RAM improvement testing;– inspection and testing for RAMS-related failure modes;– implementation of requirement 4 of the Safety Plan (item d) of 6.2.3.4).
6.6.3.5 Requirement 5 of this phase shall be to
a) prepare a Generic Safety Case for the system, justifying that the system, as designed andindependent of application, meets safety requirements. The Safety Case requires approvalby the Railway Authority, and should include– an overview of the system;– a summary or reference to the safety requirements, including a consideration of the SIL
justifications for safety functions;– a summary of the quality and safety management controls adopted within the life cycle;– a summary of safety assessment and safety audit tasks;
62278/FDIS © IEC – 51 –
– a summary of safety analysis tasks;– an overview of the safety engineering techniques employed within the system– verification of the manufacturing process;– adequacy of compliance with safety requirements, including any SIL requirements of the
system;– a summary of any limitations and constraints applying to the system;– any special exemption (or specificity) imposed and justified by the contract, to the usual
requirements of this standard;b) prepare an Application Safety Case, if appropriate at this stage, for the system. The
Application Safety Case builds on the Generic Safety Case, justifying that the design of thesystem and its physical realisation, including installation and test phases, for a specificclass of application, meet safety requirements. The Application Safety Case requiresapproval by the Railway Authority, and should include– all additional information necessary to justify system safety for the class of application
under consideration;– any limitations or constraints relevant to the application of the system.
6.6.4 Deliverables
6.6.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.6.4.2 A record of all RAMS validation tasks undertaken within the phase shall bemaintained.
6.6.4.3 Detailed plans for future life cycle tasks, in the context of RAMS, shall be produced.
6.6.4.4 Operation and Maintenance Procedures including all the relevant information forproviding spare parts, particularly safety related items, shall be produced within this phase.
6.6.4.5 A Generic Safety Case shall be produced within this phase.
6.6.4.6 An Application Safety Case may be produced within this phase.
6.6.4.7 The deliverables from this phase form a key input to subsequent life cycle phases.
6.6.5 Verification
6.6.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification, by analysis and test, that sub-system and component design complies with theRAMS requirements;
c) verification, by analysis and test, that sub-systems and components realisation complieswith designs;
d) validation of sub-system and component realisation to ensure that the realisation complieswith RAMS acceptance criteria for sub-system and components, including life cyclerequirements;
62278/FDIS © IEC – 52 –
e) verification, by analysis and test, that the manufacturing arrangements produce RAMS-validated sub-systems and components;
f) verification that all future life cycle activity plans are consistent with RAMS requirements forthe system, including life cycle cost requirements;
g) assessment of the adequacy and completeness of the generic safety case and whereappropriate, the application safety case;
h) assessment of the adequacy of the methods, tools and techniques used within the phase;i) assessment of the competence of all personnel undertaking tasks within the phase;j) ensure the continued applicability of the RAMS validation plan.
6.6.5.2 Any errors or shortfalls may require the re-application of some or all of the activities ofone or more previous life cycle phases.
6.7 Phase 7: Manufacturing
6.7.1 Objectives
The objectives of this phase are to
a) implement a manufacturing process which produces RAMS-validated sub-systems andcomponents;
b) establish RAMS-centred process assurance arrangements;c) establish sub-system and component RAMS support arrangements.
6.7.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirement, and in particular the design deliverables produced inphase 6.
6.7.3 Requirements
6.7.3.1 Requirement 1 of this phase shall be to verify and implement the manufacturingprocess.
6.7.3.2 Requirement 2 of this phase shall be to establish sub-system and component supportarrangements, including:
– preparation, verification and validation of sub-system and component RAMS supportdocumentation;
– preparation, verification and validation of operation and maintenance procedures in thecontext of RAMS;
– preparation, verification and validation of sub-system and component training material inthe context of RAMS.
The above documentation, procedures and training material shall be reviewed in all subsequentphases.
62278/FDIS © IEC – 53 –
6.7.3.3 Requirement 3 of this phase may, if appropriate, be to
a) plan manufacturing to meet requirements;b) implement manufacturing to meet requirements;c) implement RAMS process assurance to avoid potential RAMS-related failure modes.
6.7.4 Deliverables
6.7.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.7.4.2 A record of all RAMS validation tasks undertaken within the phase shall bemaintained.
6.7.4.3 The deliverables from this phase form a key input to subsequent life cycle phases.
6.7.5 Verification
6.7.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification that RAMS support documentation is correct, adequate and consistent with lifecycle cost requirements and any target RAMS requirements defined for the system;
c) assessment to ensure that the products being produced manufactured comply with systemrequirements;
d) assessment of the adequacy of the methods, tools and techniques used within the phase;e) assessment of the competence of all personnel undertaking tasks within the phase.
6.7.5.2 Any errors or shortfalls may require the re-application of some or all of the activities ofone or more previous life cycle phases.
6.8 Phase 8: Installation
6.8.1 Objectives
The objectives of this phase are to
a) assemble and install the total combination of sub-systems and components required toform the complete system;
b) initiate system support arrangements.
6.8.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirement, and in particular the Installation Plan prepared in phase 6,the sub-systems and components manufactured in phase 7 and the RAMS supportdocumentation prepared in phase 7.
62278/FDIS © IEC – 54 –
6.8.3 Requirements
6.8.3.1 Requirement 1 of this phase shall be to assemble and install the total combination ofsub-systems, components and external facilities required to form the complete system,according to the Installation Plan.
6.8.3.2 Requirement 2 of this phase shall be to document the installation process, including:
– review plans in the context of requirement 3 of the design and implementation phase(6.6.3.3);
– installation tasks;– action taken to resolve failures and incompatibilities.
6.8.3.3 Requirement 3 of this phase shall be to review and update the Safety Plan followingcompletion of installation to ensure that any changes to either system or procedures arerecorded and effectively managed in future life cycle tasks.
6.8.3.4 Requirement 4 of this phase shall be to
a) start staff training;b) make support procedures available;c) establish spare parts provision;d) establish tool provision.
6.8.4 Deliverables
6.8.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.8.4.2 A record of all RAMS validation tasks undertaken within the phase, including theinstallation activity, shall be maintained.
6.8.4.3 An updated Safety Plan shall be produced within this phase.
6.8.4.4 The deliverables from this phase form a key input to subsequent life cycle phases.
6.8.5 Verification
6.8.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification that the installation activity was carried out in accordance with the InstallationPlan;
c) verification, by analysis and test, that the installed system meets the RAMS requirements;d) assessment of the Safety Plan to ensure its continued applicability;e) assessment of the adequacy and effectiveness of system support arrangements;
62278/FDIS © IEC – 55 –
f) assessment of the adequacy of the methods, tools and techniques used within the phase;g) assessment of the competence of all personnel undertaking tasks within the phase.
6.8.5.2 Any errors or shortfalls may require the re-application of some or all of the activities ofone or more previous life cycle phases.
6.9 Phase 9: System validation (including safety acceptance and commissioning)
6.9.1 Objectives
6.9.1.1 The objectives of this phase are to
a) validate that the total combination of sub-systems, components and external risk reductionmeasures comply with the RAMS requirements for the system;
b) commission the total combination of sub-systems, components and external risk reductionmeasures;
c) prepare, and if appropriate accept, the Application Specific Safety Case for the system;d) provide for data acquisition and assessment.
6.9.1.2 It is important to note that the requirements of phase 10, System Acceptance, may beintegrated with the requirements of this phase, phase 9, if appropriate to the system underconsideration. If this is the case, then the deliverables from this Phase shall demonstrate thatthe requirements of phase 10 have been adequately fulfilled in the realisation of phase 9.
6.9.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirement, and in particular the system requirements produced inphase 4, the Verification and Validation Plan produced in phase 4, the Commissioning Planproduced in phase 6 and the training material prepared in phase 7.
6.9.3 Requirements
6.9.3.1 Requirement 1 of this phase shall be to validate the total combination of sub-systems,components and external risk reduction measures according to the Validation Plan and recordthe validation process, including:
– details of RAMS validation tasks against acceptance criteria, including RAM demonstrationsand safety analysis;
– details of process, tools, equipment used for validation tasks against acceptance criteria;– results of validation tasks for all acceptance criteria;– any limitations and constraints applying to the system;– action taken to resolve failures and incompatibilities.
62278/FDIS © IEC – 56 –
6.9.3.2 Requirement 2 of this phase shall be to
a) commission the total combination of sub-systems, components and external risk reductionmeasures according to the Commissioning Plan and record the commissioning process,including:– commissioning tasks;– failure reporting and assessment tasks;– action taken to resolve failures and incompatibilities;– details of any limitations or constraints on the use of the system;
b) undertake probationary period of operation, if required, to enable the resolution of in-service system problems. Where use is made of a probationary period of operation as partof system acceptance, consideration shall be given to the need for system safety to bedemonstrated prior to operation of the system in revenue earning service.
6.9.3.3 Requirement 3 of this phase shall be to prepare an Application Safety Case for thesystem, if not already prepared in phase 6 (item b) of 6.6.3.5), to justify that the system, asspecifically applied within this application, complies with the system safety requirements. TheApplication Safety Case requires approval by the Railway Authority, and should include
– an overview of the system;– a summary or reference to the safety requirements, including a consideration of the SIL
justifications for safety functions within the application;– a summary of the quality and safety management controls adopted within the life cycle;– a summary of safety assessment and safety audit tasks;– a summary of safety analysis tasks;– an overview of the safety engineering techniques employed within the system;– adequacy of compliance with safety requirements for the system, including adequacy of
compliance with the SIL requirements of the application including its physical realisationwithin the specific application;
– a summary of any limitations and constraints applying to the application.
6.9.3.4 Requirement 4 of this phase shall be to establish and implement a process for theacquisition and assessment of operational data as an input to a system improvement process.
6.9.4 Deliverables
6.9.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.9.4.2 A record of all RAMS validation tasks undertaken within the phase, including thecommissioning activity, shall be maintained.
6.9.4.3 An Application Specific Safety Case shall be produced for the system within thisphase.
6.9.4.4 A record of all Acceptance Tasks undertaken within this phase shall be maintained.
62278/FDIS © IEC – 57 –
6.9.4.5 The deliverables from this phase form a key input to subsequent life cycle phases.
6.9.5 Verification
6.9.5.1 The following process verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification and validation, by analysis and test, that the installed system meets RAMSrequirements. It should be noted that for some railway systems, acceptance of theApplication Specific Safety Case will be required prior to installation and commissioningactivities taking place;
c) verification that the commissioning activity was carried out in accordance with theCommissioning Plan;
d) assessment of the adequacy and effectiveness of the operational data collection system;e) assessment of the adequacy of the methods, tools and techniques used within the phase;f) assessment of the competence of all personnel undertaking tasks within the phase.
6.9.5.2 Any errors or shortfalls may require the re-application of some or all of the activities ofone or more previous life cycle phases.
6.10 Phase 10: System acceptance
6.10.1 Objectives
The objectives of this phase are to
a) assess compliance of the total combination of sub-systems, components and external riskreduction measures with the overall RAMS requirements of the complete system;
b) accept the system for entry into service.
6.10.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirement, and in particular the system requirements prepared inphase 4, the Verification and Validation Plan and Acceptance Plan prepared in phase 4 and therecord of verification and validation tasks prepared in phase 9.
6.10.3 Requirements
6.10.3.1 Requirement 1 of this phase shall be to assess all system verification and validationtasks, specifically the RAM verification and validation and the Application Specific Safety Case,in accordance with the System Acceptance Plan.
6.10.3.2 Requirement 2 of this phase shall be to formally accept the system for entry intoservice, if appropriate.
62278/FDIS © IEC – 58 –
6.10.3.3 Requirement 3 of this phase shall be to review and update the Hazard Log to recordany residual hazards identified during system validation or acceptance and to ensure that therisks from any such hazards are effectively managed.
6.10.4 Deliverables
6.10.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.10.4.2 A record of all acceptance tasks undertaken within the phase, shall be maintained.
6.10.4.3 An updated Hazard Log shall be produced within this phase.
6.10.4.4 The deliverables from this phase form a key input to subsequent life cycle phases.
6.10.5 Verification
6.10.5.1 The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) acceptance, by analysis and test, that the system meets the RAMS requirements, includinglife cycle cost requirements;
c) verification that the acceptance activity was carried out in accordance with the AcceptancePlan;
d) assessment of the continued applicability of the revised Safety Plan;e) assessment to ensure that any residual hazards are being managed effectively;f) assessment of the adequacy and completeness of the application specific safety case;g) assessment of the adequacy of the methods, tools and techniques used within the phase;h) assessment of the competence of all personnel undertaking tasks within the phase.
6.10.5.2 Any errors or shortfalls may require the re-application of some or all of the activitiesof one or more previous life cycle phases.
6.11 Phase 11: Operation and maintenance
6.11.1 Objectives
The objective of this phase shall be to operate (within specified limits), maintain and supportthe total combination of sub-systems, components and external risk reduction measures suchthat compliance with system RAMS requirements is maintained.
6.11.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, datanecessary to meet the requirement, and in particular the operation and maintenanceprocedures prepared in phase 6.
62278/FDIS © IEC – 59 –
6.11.3 Requirements
6.11.3.1 Requirement 1 of this phase shall be to monitor implementation of the system and toimplement the operation and maintenance procedures, particularly with regard to systemperformance and life cycle cost issues.
6.11.3.2 Requirement 2 of this phase shall be to assure compliance with system RAMSrequirements throughout this phase by
a) regular review and update of operation and maintenance procedures;b) regular review of system training documentation;c) regular review and update of Hazard Log and Safety Case;d) effective logistic support, including spare parts, tools, calibration, competent staff, RAMS
focused maintenance;e) maintenance of the Failure Reporting Analysis and Corrective Action System (FRACAS).
6.11.4 Deliverables
6.11.4.1 A record of all RAMS tasks undertaken within the phase shall be maintained, alongwith any assumptions and justifications made during the phase.
6.11.4.2 System documentation shall be updated, as appropriate, within this phase.
6.11.4.3 The deliverables from this phase form a key input to subsequent life cycle phases.
6.11.5 Verification
The following verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification that changes in support arrangements are consistent with system RAMSrequirements and life cycle cost requirements;
c) assessment of the adequacy of the methods, tools and techniques used within the phase;d) assessment of the competence of all personnel undertaking tasks within the phase.
6.12 Phase 12: Performance monitoring
6.12.1 Objectives
The objective of this phase shall be to maintain confidence in the RAMS performance of thesystem.
6.12.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, datanecessary to meet the requirement, particularly system RAMS requirements and systemsupport data.
62278/FDIS © IEC – 60 –
6.12.3 Requirements
6.12.3.1 Requirement 1 of this phase shall be to establish, implement and regularly review aprocess for
– the collection of operational performance and RAMS statistics;– the acquisition, analysis and evaluation of performance and RAMS data;– checking that the assumptions made in the safety case remain valid.
6.12.3.2 Requirement 2 of this phase shall be to analyse performance and RAMS data andstatistics to influence
– new operating and maintenance procedures;– changes in logistic support for the system.
6.12.4 Deliverables
6.12.4.1 A record of all performance monitoring tasks undertaken within the phase shall bemaintained, along with any assumptions and justifications made during the phase.
6.12.4.2 System support documentation may be updated within this phase.
6.12.4.3 The deliverables from this phase form a key input to subsequent life cycle phases.
6.12.5 Verification
The following process verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verification that changes in support arrangements are consistent with system RAMSrequirements and life cycle cost requirements;
c) assessment of the adequacy of the methods, tools and techniques used within the phase;d) assessment of the competence of all personnel undertaking tasks within the phase.
6.13 Phase 13: Modification and retrofit
6.13.1 Objectives
The objective of this phase shall be to control system modification and retrofit tasks to maintainsystem RAMS requirements.
6.13.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, data,necessary to meet the requirement.
62278/FDIS © IEC – 61 –
6.13.3 Requirements
6.1.13.1 Requirement 1 of this phase shall be to establish a Safety Plan.
6.13.3.2 Requirement 2 of this phase shall be to establish, implement and regularly review aprocess to control system modification and retrofit, in the context of RAMS, including:
– control through the mandatory use of an appropriate life cycle model for all modification andretrofitting tasks;
– a requirement to establish a procedure for verifying, validating and accepting the RAMSperformance of the system following modification and retrofit;
– a requirement to analyse the reasons for the change;– a requirement to carry out a RAMS impact analysis of the change, including the impact on
life cycle cost requirements;– a requirement to plan the implementation and subsequent acceptance of the change;– a requirement to record modification and retrofit tasks;– a requirement to update all affected system documentation.
6.13.4 Deliverables
6.13.4.1 The key deliverable from this phase is a validated, modified system.
6.13.4.2 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.13.4.3 A record of all verification, validation and acceptance tasks undertaken within thephase, shall be maintained.
6.13.4.4 An updated Hazard Log should be produced within this phase.
6.13.4.5 An updated Application Safety Case shall be produced within this phase.
6.13.4.6 All RAM related documents should be reviewed and updated where necessary.
6.13.4.7 The deliverables from this phase form a key input to subsequent life cycle phases.
6.13.5 Verification
The following process verification tasks shall be undertaken within this phase:
a) assessment of the adequacy of the information, and where appropriate, data and otherstatistics, used as input to tasks within this phase;
b) verify and validate that any changes or modifications to the system are consistent with theRAMS requirements for the system and life cycle cost requirements;
c) assessment of the adequacy and completeness of any amended system documentation, inparticular, any system safety case documents;
d) assessment of the adequacy of the methods, tools and techniques used within the phase;
62278/FDIS © IEC – 62 –
e) assessment of the competence of all personnel undertaking tasks within the phase.
6.14 Phase 14: Decommissioning and disposal
6.14.1 Objectives
The objective of this phase shall be to control system decommissioning and disposal tasks.
6.14.2 Inputs
The input to this phase shall include all relevant information, and where appropriate, datanecessary to meet the requirement.
6.14.3 Requirements
6.14.3.1 Requirement 1 of this phase shall be to
a) establish the impact of decommissioning and disposal on any system or external facilityassociated with the system to be de-commissioned;
b) plan the decommissioning, including the establishment of procedures for:
− the safe closing down of the system and any associated external facility;
− the safe dismantling of the system and any associated external facility;
− the continued assurance of compliance with RAMS requirements of any systems orexternal facility affected by the decommissioning of the system.
6.14.3.2 Requirement 2 of this phase shall be to provide an analysis of RAMS life cycleperformance for input to future systems, including life cycle costings.
6.14.4 Deliverables
6.14.4.1 The results of this phase shall be documented, along with any assumptions andjustifications made during the phase.
6.14.4.2 A record of all de-commissioning and disposal tasks undertaken within the phase,shall be maintained.
6.14.4.3 An updated Hazard Log should be produced within this phase.
6.14.4.4 A Safety Plan should be established to address the de-commissioning and disposaltasks and closed out following completion of the work.
6.14.4.5 A revised Application Safety Case may be produced within this phase.
6.14.4.6 Updated documentation may be produced covering the continued compliance withRAMS requirements of affected associated systems during the decommissioning and disposaltasks.
62278/FDIS © IEC – 63 –
6.14.5 Verification
The following process verification tasks shall be undertaken within this phase:
a) the adequacy of the information, and where appropriate, data and other statistics, used asinput to tasks within this phase shall be assessed;
b) assessment of the adequacy of any documentation for systems affected bydecommissioning and disposal activities;
c) assessment of the adequacy of the methods, tools and techniques used within the phase;d) assessment of the competence of all personnel undertaking tasks within the phase.
62278/FDIS © IEC – 64 –
Annex A (informative)
Outline of RAMS specification – example
A.1 General
In order to facilitate the application of this standard, a principal outline of a RAMS specificationfor railway systems is presented in this annex. This outline example relates to figure 8 andfigure 9 of this standard and the corresponding descriptions of the life cycle phases detailed inclause 6, using rolling-stock as an example to provide supporting detail within the outline.
A.2 Outline
The basic structure and contents of a RAMS specification, part of the overall systemrequirements, may accord with the following outline.
1. Project identification1.1 Identify project1.2 Deliverables and deadlines1.3 Project organisation and RAMS management
2. General system description2.1 Technical description of system2.2 Specific application and operation:
example for rolling stock:
− high speed train operation;
− train compositions;
− mission profile;
− geographical location;
− train schedule and tolerances;
− operation scenarios;
− safety principles;
− human factor considerations.2.3 Technical description of sub-systems:
example for rolling stock:
− energy supply system;
− brake system;
− propulsion system;
− ventilation;
− protection system;
− control system;
− communication system;
− heating.
62278/FDIS © IEC – 65 –
3. Operating and environmental conditions3.1 Identify modes of operation:
example for rolling stock:
− operating time or distance per day;
− stand-by time per day;
− off-operating time per day.3.2 Life expectancy:
example for rolling stock:
− planned total time of system use (years);
− average operating time per year.3.3 Identify environmental conditions:
example for rolling stock:
− standards to follow;
− temperature range;
− temperature range of vehicle;
− in operation;
− off-operation;
− humidity range;
− maximum height above sea level.4. Reliability
4.1 Reliability targets4.2 Define the reliability targets in order to meet the required performance of the
specific application (see item 2.2)4.3 System Failure Modes and Mean Time Between Failure (MTBF):
example for rolling stock:
Failurecategory
System failuremode
Effect on operation MTBF(.)*
Significant Total failure Operation not possible
Major Critical functionalfailure
Emergency operation 1
Minor Non-criticalfunctional failure
Emergency operation 2
Negligible Negligible functionalfailure
Normal operation
* MTBF(.) in hours, years or km.
For further reference see 4.5.2.2 table 1 and annex C, table C.14.4 Effect on Operation/Performance :
example for rolling stock:
− Define the technical and operational conditions of what is meant in theapplication with total failure, emergency operation 1, emergency operation 2and failures with no effect on operation.
62278/FDIS © IEC – 66 –
Failurecategory
Effect onoperation* Performance Remarks
Power(%)
Speed(%)
( . )
Significant Operation notpossible
0 0
Major Emergencyoperation 1
Minor Emergencyoperation 2
Negligible Normaloperation
100 100 Reducedinformationdisplay
* Define the technical and operational conditions in the application with respect to− total failure;− emergency operation 1;− emergency operation 2;− failures with no effect on operation.
5. Maintenance and repair5.1 Preventive maintenance:
Description of the maintenance policy and the types of Revision R0-R3encountered.Example for rolling-stock:
Type of revision MTBM (.) MTTM (.)R0
R1
R2
R3
MTBM: Mean Time Between Maintenance (hours, years or km).
MTTM: Mean Time To Maintain (mean duration of revision in hoursor days).
For further reference see annex C, table C.2 and table C.4.5.2 Repair
Description of the repair policy and the necessary logistic support.
• Specify the MTTR (Mean Time To Restore) of the system (in hours or days).
• Define the time elements which are comprised in the MTTR:
− call/travel time;
− access time;
− time for spare parts provision (logistics);
− repair/replacement time;
− test/start-up time;
− data acquisition time;
− waiting time.
62278/FDIS © IEC – 67 –
• Specify the repair/replacement time and conditions of each repairable unit(maximum or mean repair/replacement times).
• Specify minimum spare parts provision and logistics support conditions.Example:
Repairableunit
Mean repairreplacement time
Site of repair(field, shop)
Necessary number ofrepair men
6. Safety6.1 Safety targets
• Describe the safety targets and policy of the application (see item 2.2).6.2 Hazardous conditions
• Identify and list the hazards to be considered in the application.
• Specify the hazard probability levels (see 4.6.2.2, table 2).6.3 Safety related functions and failures
• Identify and list the safety related functions, for example braking, or units, forexample brake.
• Specify for each safety related function the safety related failures in theapplication. (see also 4.3.6 and 4.3.7).
Example for rolling-stock:
Safety relatedfunction/unit
Specification of safetyrelated failure
MTBSF*(years or km)
Braking
Coach door
* See annex C, table C.5.
• Safety hazard severity levels:– define the applicable safety hazard severity levels (see 4.6.2.3, table 3).
• Risk classification:– define the tolerability of risks (see 4.6.3.2 and 4.6.3.3).
7. Availability
The system availability A may be specified in parts attributed to
• planned non-availability (maintenance): 1 − AM
• unplanned non-availability (repair): 1 − AR
A = 1 − [(1 − AM) + (1 − AR)]
A = MUT/(MUT + MDT); 0 ≤ A ≤ 1
62278/FDIS © IEC – 68 –
where MUT = Mean Up Time; substitute as appropriate MTBF, MTBSF, etc. MDT = Mean Down Time; substitute as appropriate MTTM, MTTR, etc. MUT and MDT to be defined for the specific Availability A(.)
for example for the Availability AS of the ”safe system”, (MUT ≡ MTBSF). The resulting down time d (T) of the mission time T (e.g. 1 year) is
d (T) = (1 − A) × T7.1 Availability Specification
• Specify the system availability A in conjunction with the maintenance and repairrequirements (item 5).
• The maintenance and repair policy, on which a certain availability A is based,shall be stated.
8. Demonstration of RAMS-performanceDefine the demonstration of RAMS-performance in line with phase 9: System Validationand phase 10: System Acceptance.Demonstration of RAMS-performance is facilitated by compiling evidence, such as:
− RAMS management and organisation;
− availability of RAMS resources;
− RAMS requirements specification;
− RAMS Plans and Programs;
− RAMS related review reports;
− RAMS analysis reports;
− RAMS testing records (components);
− failure data acquisition (statistics);
− application specific safety case;
− system validation and acceptance;
− RAMS performance monitoring during early operating phase;
− life cycle cost evaluation.9. RAMS programme
A RAM programme and Safety Plan shall be devised by the supplier that is judged to bethe most effective for the attainment of the RAMS requirements for the project.
An example of a basic RAMS programme is presented in annex B.
62278/FDIS © IEC – 69 –
Annex B (informative)
RAMS programme
B.1 This annex gives an example of an outline procedure for a basic RAM programme/SafetyPlan and shows an example of a basic RAMS programme (RAM programme/Safety Plan). Italso lists some methods and tools for RAMS management and analysis.
B.2 The supplier should establish a RAMS Programme which will effectively facilitate meetingthe RAMS requirements of the application under consideration. The RAMS Programs of similarprojects or system requirements of a supplier may yield a ”standard RAMS program” whichestablishes the ”RAMS-Baseline” of a company.
B.3 Procedure:
An outline example procedure for a basic RAMS Programme is given below.
1. Define the appropriate life cycle which is in line with the company’s business process.Result: the company’s life cycle or project phases are established.
2. Assign to each project phase, the phase related RAM and safety tasks which are necessaryto confidently meet the project and system specific requirements.Result: all necessary RAMS tasks in the life cycle are identified.
3. Define the responsibilities in the company to carry out each RAMS task.Result: the staff responsible and necessary RAMS resources are identified.
4. The necessary instructions, tools and reference documents for each RAMS task aredefined.Result: documented RAMS management.
5. The RAMS activities are implemented in the processes of the company.Result: process integrated RAMS management (RAMS-baseline).
B.4 Basic RAMS Programme example:
An outline for a Basic RAMS Programme is given in table B.1. The outline consists of anexample of a set of tasks which could be applied to a particular project.
62278/FDIS © IEC – 70 –
Table B.1 – Example of a Basic RAMS Programme outline
Project-phase RAMS tasks Respon-sibility
Referencedocument
Pre-acquisition Evaluate RAMS targets of specific application
Feasibility study − Evaluate RAMS requirements
− Evaluate past data and experience of RAMS
− Identify influence on safety imposed by specific application
− Consult customer on RAMS (if necessary)
Invitation fortenders
− Perform preliminary RAMS analysis (worst case)
− Apportion system RAMS requirements (sub-systems/equipment,other relevant systems, etc.)
− Perform system hazard and safety risk analysis
− Perform RAM related risk analysis
− Prepare for future RAMS data assessment
− Clause to clause comments concerning RAMS
Contractnegotiations
− Review/update preliminary RAMS analysis and RAMSapportionment
Orderprocessing:-Definition ofsystemrequirements
− Establish project specific RAMS management
− Specify system RAMS requirements (overall)
− Establish RAMS programme (standard RAMS programmesufficient?)
− Assign RAMS requirements to sub-contractors, suppliers
− Define RAMS acceptance criteria (overall)
OrderProcessing:Design andImplementation
− Reliability analysis (FMEA)
− Safety analysis (FMECA), if applicable
− Maintenance/repair analysis; define maintenance/repair policy
− Availability analysis based on the maintenance/repair policy
− RAMS reviews
− Life cycle cost estimation
− RAMS demonstration, evidence compilation
− Design/manufacturing FMEA
− Reliability and maintainability testing, if applicable
Procurement − Provide RAMS specification for sub-contractors/suppliers
Manufacturing/testing
− RAMS related quality assurance/process assurance
Commissioning/acceptance
− Perform RAM demonstration
− Prepare application specific Safety Case
− Initiate RAMS data assessment
− RAM testing during early operation, data screening andevaluation
Operation/maintenance
− Provisional operation and maintenance (maintenance/repairpolicy)
− Operation and maintenance personnel training
− RAMS data assessment
− Life cycle cost assessment
− Performance review
62278/FDIS © IEC – 71 –
B.5 List of tools:
Some appropriate methods and tools for conducting and managing a RAMS Programme arelisted below. The choice of the relevant tool will depend on the system under consideration andthe criticality, complexity, novelty, etc. of the system.
1. An outline form of RAMS specification: in order to assure assessment of all relevantRAMS requirements. (See annex A for an example.)
2. Procedures for formal design reviews: with emphasis on RAMS, using some general andapplication specific check lists as appropriate. Example:
IEC 61160 Formal design review; (amendment 1)3. Procedures for performing "top down" (deductive methods) and "bottom up"
(inductive methods) preliminary, worst case and in-depth RAM analysis for simpleand complex functional system structures: an overview of commonly used RAM analysisprocedures, methods, advantages and disadvantages, data input and other requirementsfor the various techniques is given in:
IEC 60300-3-1 Dependability management – Part 3: Application guide –Section 1: Analysis techniques for dependability: Guide onmethodology
The various RAM analysis techniques are described in separate standards, some of these areas follows:
IEC 60706 Guide on maintainability of equipment
IEC 60706-1 Part 1: Sections One, Two and Three: Introduction,requirements and maintainability programme
IEC 60706-2 Part 2: Section 5: Maintainability studies during the designphase
IEC 60706-3 Part 3: Sections Six and Seven: Verification and collection,analysis and presentation of data
IEC 60706-4 Part 4: Section 8: Maintenance and maintenance supportplanning
IEC 60706-5 Part 5: Section 4: Diagnostic testing
IEC 60706-6 Part 6: Section 9: Statistical methods in maintainabilityevaluation
IEC 60812 Analysis techniques for system reliability –- Procedures forfailure mode and effects analysis (FMEA)
IEC 60863 Presentation of reliability, maintainability and availabilitypredictions
IEC 61025 Fault tree analysis (FTA)
IEC 61078 Analysis techniques for dependability – Reliability blockdiagram method
IEC 61165 Application of Markov techniques
Availability of supportable statistical "RAM" data, for the components used in a design,(typically: failure rates, repair rates, maintenance data, failure modes, event rates,distribution of data and random events, etc.) is fundamental to RAM analysis, for example:
62278/FDIS © IEC – 72 –
IEC 61709 (1996) Electronic components – Reliability – Reference conditionsfor failure rate and stress models for conversion
US MIL HDBK 217 Reliability Prediction for Electronic Systems
A number of computer programmes for system RAM analysis and statistical data analysisare also available.
4. Procedures for performing hazard and safety/risk analysis. Some of these aredescribed in:
US MIL HDBK 882D System safety programme requirements
US MIL HDBK 764 (MI) System safety engineering, design guide for armymaterial
The same basic techniques and analysis methods listed for RAM (item 3), are alsoapplicable for safety/risk analysis.Also see IEC 61508, Parts 1 to 7, under the general title Functional safety ofelectrical/electronic/programmable electronic safety-related systems, consisting of thefollowing parts:− Part 1: General requirements− Part 2: Requirements for electrical/electronic/programmable electronic systems− Part 3: Software requirements− Part 4: Definitions and abbreviations− Part 5: Examples of methods for the determination of safety integrity levels− Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3− Part 7: Overview of techniques and measures
5. RAMS testing plans and procedures: in order to test the long-term operating behaviour ofcomponents, equipment or systems and to demonstrate compliance with the requirements.Furthermore, RAMS analysis and test results are used to devise RAMS improvementprogrammes, for example:
IEC 60300-3-5 Dependability management – Part 3-5: Application guide –Reliability test conditions and statistical test principles
IEC 60605: Equipment reliability testing
IEC 60605-2 Part 2: Design of test cycles
IEC 60605-3-1 Part 3: Preferred test conditions. Indoor portable equipment -Low degree of simulation
IEC 60605-3-2 Part 3: Preferred test conditions - Equipment for stationaryuse in weatherprotected locations - High degree of simulation
IEC 60605-3-3 Part 3: Preferred test conditions - Section 3: Test cycle 3:Equipment for stationary use in partially weatherprotectedlocations - Low degree of simulation
IEC 60605-3-4 Part 3: Preferred test conditions - Section 4: Test cycle 4:Equipment for portable and non-stationary use - Low degreeof simulation
62278/FDIS © IEC – 73 –
IEC 60605-4 Part 4: Statistical procedures for exponential distribution –Point estimates, confidence intervals, prediction intervals andtolerance intervals
IEC 60605-6 Part 6: Tests for the validity of the constant failure rate orconstant failure intensity assumptions
IEC 61014 Programmes for reliability growth
IEC 61070 Compliance test procedure for steady-state availability
IEC 61123 Reliability testing - Compliance test plan for success ratio
Of greater importance is the assessment of RAMS data from the field (RAMS testing duringoperation),for example:
IEC 60300-3-2 Dependability management - Part 3: Application guide -Section 2: Collection of dependability data from the field
IEC 60319 Presentation of reliability data on electronic components (orparts)
6. Procedures/tools to perform LCC analysis (Life Cycle Cost): various computerprogrammes are available for LCC analysis
62278/FDIS © IEC – 74 –
Annex C (informative)
Examples of parameters for railway applications
Examples of typical parameters and symbols, suitable for use in railway applications, aretabulated below.
C.1 Reliability parameters
Table C.1 – Examples of reliability parameters
PARAMETER SYMBOL DIMENSION
Failure Rate Z(t), λ Failures/time, distance,cycle
Mean Up Time MUT Time, distance, cycle
Mean Time To FailureMean Distance To Failure(for non-repairable items)
MTTFMDTF
Time, distance, cycle
Mean Time Between FailureMean Distance Between Failure(for repairable items)
MTBFMDBF
Time, distance, cycle
Failure Probability F(t) Dimensionless
Reliability (success probability) R(t) Dimensionless
C.2 Maintainability parameters
Table C.2 – Examples of maintainability parameters
PARAMETER SYMBOL DIMENSION
Mean Down Time MDT Time, distance, cycle
Mean Time/Distance Between Maintenance MTBM/MDBM Time, distance, cycles
MTBM/MDBM, corrective or preventive MTBM(c)/MDBM(c),MTBM(p)/MDBM(p)
Time, distance, cycles
Mean Time To Maintain MTTM Time
MTTM, corrective or preventive MTTM(c), MTTM(p) Time
Mean Time To Restore MTTR Time
False Alarm Rate FAR Time-1
62278/FDIS © IEC – 75 –
C.3 Availability parameters
Table C.3 – Examples of Availability Parameters
PARAMETER SYMBOL DIMENSION
Availabilityinherentachievedoperational
A (.) = MUT/(MUT+MDT)A iA aA o
Dimensionless
Fleet availability FA (= available vehicles/fleet) Dimensionless
Schedule adherence SA Dimensionless
C.4 Logistic support parameters
Table C.4 – Examples of Logistic Support Parameters
PARAMETER SYMBOL DIMENSION
Operation and Maintenance Cost O&MC Money
Maintenance Cost MC Money
Maintenance Man Hours MMH Time (hours)
Logistic and Administrative Delay LAD Time
Fault correction time Time
Repair time Time
Maintenance support performance Dimensionless
Employees for Replacement EFR Dimensionless
Probability of Spare Parts on Stockwhen needed
SPS Dimensionless
C.5 Safety parameters
Table C.5 – Examples of safety performance parameters
PARAMETER SYMBOL DIMENSION
Mean Time Between Hazardous Failure MTBF(H) Time, distance, cycle
Mean Time Between "Safety System Failure” MTBSF Time, distance, cycle
Hazard Rate H(t) Failures/time, distance,cycle
Safety Related Failure Probability Fs(t) Dimensionless
Probability of Safe Functionality Ss(t) Dimensionless
Time to Return to Safety TTRS Time
62278/FDIS © IEC – 76 –
Annex D (informative)
Examples of some risk acceptance principles
NOTE Values given in this annex are only to illustrate the principles and are not intended to be used for any otherpurpose.
D.1 As Low As Reasonably Practicable (ALARP) principle (practised in UK)
The principle may be represented by the following diagram:
Unacceptableregion
The ALARP ortolerability region(Risk is undertaken onlyif a benefit is desired)
Risk cannot be justifiedexcept in extraordinarycircumstances
Tolerable only if riskreduction is impractibleor if cost is grosslydisproportionate to theimprovement gained
Tolerable if cost of reduction wouldexceed the improvement gained
Necessary to maintain assurancethat risk remains at this level
Broadly acceptableregion (No need fordetailed working todemonstrate ALARP)
D.1.1 Some risks are so large and some outcomes so unacceptable that they are intolerableand cannot be justified on any grounds. The upper bound defines levels of risk that areintolerable. If the level of risk cannot be reduced below this bound then the operation shouldnot be carried out.
D.1.2 The lower bound of the diagram defines the broadly acceptable region where risks areconsidered to be so low that strenuous efforts to reduce them further would not be likely to bejustified by any ALARP criteria.
62278/FDIS © IEC – 77 –
D.1.3 The area between the upper and lower bounds is called the ALARP region. It must bestressed that it is not sufficient to demonstrate that risks are in the ALARP region. They mustbe made as low as reasonably practicable. There are various ways to demonstrate ALARP. Itmay be sufficient to show that the best available current standards and practices are beingapplied. For novel operations, or where the adequacy of current standards or practices is indoubt, the concepts of cost benefit analysis and value of life can be introduced.
D.1.4 Societal risk has to be examined when there is the possibility of a catastrophe involvinglarge number of casualties. The dislike of large accidents is termed "Differential Risk Aversion"(DRA). This may be expressed by a slope of (−1) in the log F-N curve, where F is the frequencyof occurrence (year−
1) and N the number of casualties for an occurrence.
D.2 “Globalement Au Moins Aussi Bon” (GAMAB) principle (practised inFrance)
The complete formulation of this principle is as follows:"All new guided transport systems must offer a level of risk globally at least as good as the oneoffered by any equivalent existing system".
D.2.1 This formulation takes into account what has been done and requires implicitly aprogress to be made in the projected system, by the requirement "at least". It does notconsider a particular risk, by the requirement "globally". The transport system supplier is free todistribute allocation between the different risks inherent to the system and applies the relevantapproach, i.e. qualitative or quantitative.
D.2.2 When a quantitative approach is applied, it may be translated in the following way:
1. Let τc.ref be the fraction (casualties/passenger; casualties caused by collision between twotrains) experienced for a certain number of transported passengers by a transport system inthe last years of operation. This fraction should be extracted from the statistics for theexisting system and form the reference for the new system, of the same nature.
2. Now consider the new (replacement) system. For this system let:C = capacity of one train (passengers/train)F = frequency of trains (trains/hour)r = mean occupation coefficient (train not completely full)nc = number of casualties per collision in this new system
Dm = throughput (passengers/hour) = r × C × FTherefore, the number of collisions actually seen by each passenger (col), must be:
col = (τc.ref/nc) × collisions/passengerAlso the collision rate for the new system must be smaller than that of the existing system.Therefore,
λc ≤≤≤≤ col × Dm
= (τc.ref/nc) × Dm
= τc.ref × (r × C/nc) ×F collisions/hour
62278/FDIS © IEC – 78 –
3. Remarks:
− It is assumed that the proportion of casualties among the passengers in the same trainis the same for the existing system and the projected system:i.e. nc/r × C = constant;
− λc can be a tough requirement for a poor quality of service, especially for a low value ofF (frequency of trains);
− improvement is driven by the sign ≤;
− the designer/supplier is free to distribute λc between way-side equipment and on-boardequipment.
D.3 Minimum Endogenous Mortality (MEM) principle (practised in Germany)
This principle has been derived in the following manner:
1. Death will result from many different causes. One such group of causes is termed"technological facts", for example− entertainment and sport (surf, trial, etc.);− do-it-yourself activities (lawn mowing, etc.);− work machines;− transport.The following are not included:− death by illness or disease;− death by congenital malformation.This group results in a certain percentage of death per annum that varies according to theage of the population being considered. This risk is referred to as "Endogenous Mortality""R".
2. In well-developed countries, R is the lowest for the age group 5 years to 15 years. Thislowest level of Endogenous Mortality, known as "Minimum Endogenous Mortality denotedby "Rm" has been determined as:
Rm = 2 × 10–4 fatalities/person × year
3. From the above, the following rule is formulated:"Hazards due to a new system of transport would not significantly augment the figure Rm".In practice the following figures may be used:
R1 ≤≤≤≤ 10–5 fatality/person × year
R2 ≤≤≤≤ 10–4 heavy injuries/person × year
R3 ≤≤≤≤ 10–3 light injuries/person × yearThis point of view is highly individualistic: the family of the person suffering the casualty willnot find any solace in the fact that the person perished in a huge catastrophe or a smallone. This is true as far as actual means of transport are concerned (train, plane, etc.). Forsystems that may result in large number of fatalities, "differential risk aversion" (DRA) isintroduced by a decreasing slope as presented in the following curve:
62278/FDIS © IEC – 79 –
10−3
Minimum Endogenous Mortality
Number of fatalities
Tolerableindividualrisk
FatalitiesPerson × year
10−4
10−5
10−6
10−7
10−8
10−9
10−10
100 101 102 103 104 105 106
62278/FDIS © IEC – 80 –
Annex E (informative)
Responsibilities within the RAMS process throughout the life cycle
As a general guideline, for a typical railway project, the following applies.
− Requirements are usually established by the customer or a regulatory (legal) authority.− Approval and acceptance is similarly carried out by the customer or the regulatory authority.− Solutions, their results and verifications are normally elaborated or performed by the
contractor.− Validation is normally performed jointly.
This general rule, however, depends on the contractual and legal relationship between theparties involved.
However, this standard requires that, in each case, the responsibilities for the tasks in thevarious life cycle phases are defined and agreed. The following matrix gives an example ofresponsibilities for a typical arrangement.
Customer/operator
Approvalauthority
(Main)Contractor
Sub-contractor
Suppliers
Concept phase X
System definition and applicationconditions
X
Risk analysis X X
System requirements X (X)
Apportionment of system requirements (X) X
Design and implementation X (X)
Manufacture X X X
Installation X (X)
System validation X X X (X)
System acceptance X X
Operation and maintenance X (X) (X)
Performance monitoring X (X) (X)
Modification and retrofit X X X
De-commissioning and disposal X (X)
X = full responsibility and participation.
(X) = specific responsibility and/or partial participation (e.g. on sub-contract or on standby basis).
___________
ISBN 2-8318-XXXX-X
ICS 45.060
Typeset and printed by the IEC Central OfficeGENEVA, SWITZERLAND